Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1712: Analytic 1712

Correlates (1) application access to or staging of local files likely to be of operational, evidentiary, or user value, (2) deletion of those files or wipe-like destructive actions through ordinary storage access, administrative controls, or privileged/rooted paths, and (3) continued app or device activity after deletion, including cleanup, concealment, or outbound transfer. The defender observes a causal chain where files are first accessed or prepared, then removed, and device-side behavior continues after evidence or data is gone.

MobileAN1712AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1712 is an Android-focused detection analytic for identifying a suspicious sequence: an app accesses or stages valuable local files, those files are then deleted or wiped through normal storage access, administrative controls, or privileged/rooted paths, and the app or device continues activity afterward. For leaders, the value is not just spotting deletion; it is recognizing a chain that may affect evidence preservation, incident reconstruction, user data protection, and confidence in mobile investigations.

Executive priority

Prioritize this analytic where Android devices carry operational, evidentiary, regulated, or user-sensitive data. The business question is whether mobile security, SOC, and incident response teams can prove what happened before and after deletion events. This matters for continuity, legal or compliance evidence, and incident decision-making because post-deletion activity may leave the organization with fewer artifacts unless collection and response processes are ready.

Technical view

SOC and detection teams should validate whether Android telemetry can correlate three phases on the same device or app context: file access or staging, deletion or wipe-like action, and continued activity after deletion such as cleanup, concealment, or outbound transfer. Because ATT&CK provides no formal detection logic for this analytic, teams should build and test correlation around timing, causality, file value, app identity, storage path, privilege context, and subsequent device or network behavior. The analytic is most useful when it distinguishes ordinary user/app file management from sequences that remove potentially important data while activity continues.

Likely telemetry

  • Android application activity and app identity context
  • Local file access, staging, modification, and deletion events where available
  • Storage access events, including ordinary storage APIs or file manager behavior
  • Administrative-control or device-management actions related to deletion or wipe-like behavior
  • Privileged or rooted path activity where such telemetry is collected

Detection direction

  • Validate that telemetry can preserve event order: access or staging before deletion, then continued activity after deletion.
  • Tune correlation windows to the local Android logging depth and expected app behavior; overly broad windows may create false positives from normal cache cleanup or user-initiated file management.
  • Prioritize files or paths with operational, evidentiary, or user value rather than treating all deletion as equally suspicious.
  • Include app identity, signing/package context, privilege/root state, and device-management context to reduce ambiguity.
  • Review blind spots where Android privacy controls, limited endpoint logging, lack of root visibility, or delayed collection prevent reliable file-event correlation.

Mitigation priorities

  • Confirm Android fleet visibility first: MDM/UEM, mobile EDR, logging retention, and forensic readiness for file and app activity.
  • Protect high-value mobile data with access controls, backup/retention expectations, and device-management policies appropriate to the environment.
  • Limit unnecessary privileged/rooted device use and ensure administrative wipe or deletion capabilities are governed and auditable.
  • Define incident response playbooks for rapid preservation of Android device evidence when deletion or wipe-like behavior is suspected.
  • Use compliance and audit reviews to verify that mobile evidence retention and deletion-event investigation procedures are documented and testable.
Analyst notes and limits

This object is a detection analytic, not a technique or malware profile. No tactics, relationships, aliases, or formal ATT&CK detection text were supplied. The strongest supported interpretation is a behavioral correlation pattern on Android involving file access or staging, deletion/wipe-like action, and continued app or device activity afterward.

Coverage depends heavily on local Android telemetry, device-management configuration, endpoint tooling, and forensic access. The supplied ATT&CK fields do not identify specific data sources, detection logic, threat actors, campaigns, impacts, or active exploitation. Local baselining is required to separate suspicious chains from normal app cleanup or user file deletion.

Official MITRE ATT&CK definition

Analytic 1712

Correlates (1) application access to or staging of local files likely to be of operational, evidentiary, or user value, (2) deletion of those files or wipe-like destructive actions through ordinary storage access, administrative controls, or privileged/rooted paths, and (3) continued app or device activity after deletion, including cleanup, concealment, or outbound transfer. The defender observes a causal chain where files are first accessed or prepared, then removed, and device-side behavior continues after evidence or data is gone.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
4161363ed77c7d36...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 4161363ed77c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1712
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use