1. Home
  2. Techniques
  3. Mobile
  4. Data Destruction

Data Destruction

Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.

To achieve data destruction, adversaries may use the pm uninstall command to uninstall packages or the rm command to remove specific files. For example, adversaries may first use pm uninstall to uninstall non-system apps, and then use rm (-f) <file(s)> to delete specific files, further hiding malicious activity.[1][2]

ID: T1662
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platforms: Android
Contributors: Liran Ravich, CardinalOps
Version: 1.0
Created: 22 September 2023
Last Modified: 27 September 2023
Version Permalink

Procedure Examples

ID Name Description
S1094 BRATA

BRATA can perform a factory reset.[3]
S1185 LightSpy

LightSpy has deleted media files and messenger-related files on the device.[4] Additionally, LightSpy has used the AppDelete plugin to remove multiple messaging applications, such as WeChat, QQ, Telegram, Line and Whatsapp.[5]

S1241 RatMilad

RatMilad has deleted files on the device.[6]

Mitigations

ID Mitigation Description
M1011 User Guidance

Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0671 Detection of Data Destruction AN1769

The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing.
Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes.
The user is prompted for approval when an application requests device administrator permissions.
Application vetting services may detect API calls for deleting files.
Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.

References

  1. Hu, W., et al. (2015, December 4). Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information. Retrieved September 26, 2023.
  2. Surana, N., et al. (2022, September 8). How Malicious Actors Abuse Native Linux Tools in Attacks. Retrieved September 26, 2023.
  3. Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.
  1. ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.
  2. Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.
  3. Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.