T1662 Data Destruction
Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.
To achieve data destruction, adversaries may use the pm uninstall command to uninstall packages or the rm command to remove specific files. For example, adversaries may first use pm uninstall to uninstall non-system apps, and then use rm (-f) <file(s)> to delete specific files, further hiding malicious activity.12
| Item | Value |
|---|---|
| ID | T1662 |
| Sub-techniques | |
| Tactics | TA0034 |
| Platforms | Android |
| Version | 1.0 |
| Created | 22 September 2023 |
| Last Modified | 27 September 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1094 | BRATA | BRATA can perform a factory reset.3 |
| S1185 | LightSpy | LightSpy has deleted media files and messenger-related files on the device.6 Additionally, LightSpy has used the AppDelete plugin to remove multiple messaging applications, such as WeChat, QQ, Telegram, Line and Whatsapp.5 |
| S1241 | RatMilad | RatMilad has deleted files on the device.4 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1011 | User Guidance | Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups. |
References
-
Hu, W., et al. (2015, December 4). Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information. Retrieved September 26, 2023. ↩
-
Surana, N., et al. (2022, September 8). How Malicious Actors Abuse Native Linux Tools in Attacks. Retrieved September 26, 2023. ↩
-
Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023. ↩
-
Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025. ↩
-
Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy’s iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025. ↩
-
ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025. ↩