Data Destruction

Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.

To achieve data destruction, adversaries may use the pm uninstall command to uninstall packages or the rm command to remove specific files. For example, adversaries may first use pm uninstall to uninstall non-system apps, and then use rm (-f) <file(s)> to delete specific files, further hiding malicious activity.[1][2]

ID: T1662
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platforms: Android
Contributors: Liran Ravich, CardinalOps
Version: 1.0
Created: 22 September 2023
Last Modified: 27 September 2023

Procedure Examples

ID Name Description

BRATA can perform a factory reset.[3]


ID Mitigation Description
M1011 User Guidance

Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.


ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services may detect API calls for deleting files.

Permissions Requests

Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.

DS0017 Command Command Execution

Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes.

DS0042 User Interface Permissions Request

The user is prompted for approval when an application requests device administrator permissions.

System Settings

The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing.