Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.
To achieve data destruction, adversaries may use the pm uninstall command to uninstall packages or the rm command to remove specific files. For example, adversaries may first use pm uninstall to uninstall non-system apps, and then use rm (-f) <file(s)> to delete specific files, further hiding malicious activity.[1][2]
| ID | Mitigation | Description |
|---|---|---|
| M1011 | User Guidance |
Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0041 | Application Vetting | API Calls |
Application vetting services may detect API calls for deleting files. |
| Permissions Requests |
Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions. |
||
| DS0017 | Command | Command Execution |
Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes. |
| DS0042 | User Interface | Permissions Request |
The user is prompted for approval when an application requests device administrator permissions. |
| System Settings |
The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing. |