T1630.002 File Deletion
Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.1
Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.
Item | Value |
---|---|
ID | T1630.002 |
Sub-techniques | T1630.001, T1630.002, T1630.003 |
Tactics | TA0030 |
Platforms | Android |
Version | 1.1 |
Created | 30 March 2022 |
Last Modified | 20 March 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0440 | Agent Smith | Agent Smith deletes infected applications’ update packages when they are detected on the system, preventing updates.4 |
S0529 | CarbonSteal | CarbonSteal has deleted call log entries coming from known C2 sources.5 |
S0505 | Desert Scorpion | Desert Scorpion can delete copies of itself if additional APKs are downloaded to external storage.11 |
S0550 | DoubleAgent | DoubleAgent has deleted or renamed specific files.5 |
S0408 | FlexiSpy | FlexiSpy can delete data from a compromised device.2 |
S0421 | GolfSpy | GolfSpy can delete arbitrary files on the device.6 |
S0536 | GPlayed | GPlayed can wipe the device.12 |
S0485 | Mandrake | Mandrake can delete all data from an infected device.10 |
S0407 | Monokle | Monokle can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.7 |
S0399 | Pallas | Pallas has the ability to delete attacker-specified files from compromised devices.3 |
S0549 | SilkBean | SilkBean can delete various piece of device data, such as contacts, call logs, applications, SMS messages, email, plugins, and files in external storage.5 |
S0558 | Tiktok Pro | Tiktok Pro can delete attacker-specified files.13 |
S0418 | ViceLeaker | ViceLeaker can delete arbitrary files from the device.8 |
S0489 | WolfRAT | WolfRAT can delete files from the device.9 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1011 | User Guidance | Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0041 | Application Vetting | Permissions Requests |
DS0042 | User Interface | System Settings |
References
-
Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019. ↩
-
Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019. ↩
-
Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. ↩
-
A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020. ↩
-
A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. ↩↩↩
-
E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020. ↩
-
Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. ↩
-
GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019. ↩
-
W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back… . Retrieved July 20, 2020. ↩
-
R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. ↩
-
A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020. ↩
-
V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020. ↩
-
S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021. ↩