Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1630.002: File Deletion

Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.[1]

Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.

MobileT1630.002Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

File Deletion (T1630.002) matters because a mobile app can remove evidence or business data from an Android device, and full device wipe requires administrator access. For leaders, the key issue is not just malware cleanup; it is whether mobile security, MDM, and incident response processes can preserve evidence and recover from targeted deletion of documents, databases, stored emails, update files, or other local data.

Executive priority

Prioritize this where Android devices hold regulated data, operational records, executive communications, or field-worker information. Ask whether users can grant administrator access to untrusted apps, whether mobile incidents preserve evidence before remote cleanup, and whether audit/compliance evidence depends on data that may exist only on the device. The supplied ATT&CK relationships show this behavior is used by multiple mobile malware and surveillanceware entries, making it a practical coverage question for mobile security programs rather than a theoretical edge case.

Technical view

ATT&CK lists this as an Android mobile sub-technique of Indicator Removal on Host (T1630). The official detection field is not provided, but a related detection strategy, DET0638 Detection of File Deletion, exists. SOC and IR teams should validate visibility into device administrator status, wipe-related actions through Android DevicePolicyManager-relevant controls, and file deletion activity in app-accessible storage locations where collection is feasible. Because individual file deletion may not require special permissions depending on storage location, detection should not rely only on administrator-access events. Relationship context includes many Android software entries using this behavior; it also includes some iOS-related mobile objects, so defenders should treat the platform scope carefully and validate against their own mobile fleet rather than assuming identical telemetry across platforms.

Likely telemetry

  • Android device administrator enablement or policy-change events
  • MDM or mobile security alerts for device wipe or destructive device-management actions
  • Mobile EDR or on-device security events indicating unusual file deletion
  • Application permission, installation, and behavior records for apps with access to sensitive storage locations
  • Filesystem or app-storage change evidence where the mobile security stack can collect it

Detection direction

  • Confirm what DET0638-style file deletion coverage means in the environment, since no official detection logic is supplied in the ATT&CK object.
  • Tune for destructive activity by apps with administrator access, but also look for deletion in storage locations where special permissions may not be required.
  • Correlate deletion events with suspicious app installation, permission changes, device administrator grants, and mobile security alerts.
  • Account for false positives from legitimate user cleanup, app updates, storage management, and approved remote wipe workflows.
  • Validate whether evidence is retained off-device; this technique may interfere with event collection and reporting as part of Indicator Removal on Host.

Mitigation priorities

  • Use the supplied M1011 User Guidance mitigation: train users to avoid granting risky permissions or administrator access to untrusted applications.
  • Review mobile configuration standards so administrator-capable apps and wipe-capable management functions are limited to approved use cases.
  • Ensure incident response playbooks prioritize evidence preservation before routine device reset or cleanup when suspicious deletion is suspected.
  • For higher-risk Android populations, validate mobile security and management controls against file deletion and wipe scenarios in testing rather than assuming coverage.
Analyst notes and limits

This object replaces/revokes older T1447 Delete Device Data and is a sub-technique of T1630 Indicator Removal on Host. The behavior is associated through ATT&CK relationships with multiple mobile software entries including Pallas, Monokle, FlexiSpy, ViceLeaker, GolfSpy, Agent Smith, Mandrake, WolfRAT, Desert Scorpion, CarbonSteal, GPlayed, SilkBean, DoubleAgent, Tiktok Pro, Hornbill, Fakecalls, DocSwap, and others, plus Operation Triangulation-related mobile objects. These relationships support prioritizing mobile visibility and IR readiness, but they do not by themselves prove exposure in any specific environment.

ATT&CK provides no official detection text for this object, and the tactic field is not specified. The main object platform is Android, while some relationship context references iOS mobile objects; local platform scoping and telemetry validation are required. This take does not assert active exploitation, customer exposure, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

File Deletion

Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.[1]

Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Mobile T1447 Delete Device Data Delete Device Data revoked by this object.
Mobile T1630 Indicator Removal on Host This object subtechnique of Indicator Removal on Host.
Associated objects

Groups, software, and campaigns

Malware Mobile

S0407: Monokle

Monokle is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.[1]

Android
Malware Mobile

S0549: SilkBean

SilkBean is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.[1]

Android
Malware Mobile

S0440: Agent Smith

Agent Smith is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 Agent Smith had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.[1]

Android
Malware Mobile

S1080: Fakecalls

Fakecalls is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.[1]

Android
Malware Mobile

S0418: ViceLeaker

ViceLeaker is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.[1][2]

Android
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1011: User Guidance Mobile detects · Detection Strategy DET0638: Detection of File Deletion Mobile uses · Campaign C0054: Operation Triangulation Mobile uses · Malware S1077: Hornbill Mobile uses · Malware S1216: TriangleDB Mobile uses · Malware S0489: WolfRAT Mobile revoked by · Technique T1447: Delete Device Data Mobile uses · Malware S0407: Monokle Mobile uses · Malware S0550: DoubleAgent Mobile subtechnique of · Technique T1630: Indicator Removal on Host Mobile uses · Malware S0399: Pallas Mobile uses · Malware S0549: SilkBean Mobile uses · Malware S0440: Agent Smith Mobile uses · Malware S0505: Desert Scorpion Mobile uses · Malware S0536: GPlayed Mobile uses · Malware S1080: Fakecalls Mobile uses · Malware S0418: ViceLeaker Mobile uses · Malware S9005: DocSwap Mobile uses · Tool S0408: FlexiSpy Mobile uses · Malware S0558: Tiktok Pro Mobile uses · Malware S1215: Binary Validator Mobile uses · Malware S0485: Mandrake Mobile uses · Malware S0421: GolfSpy Mobile uses · Malware S0529: CarbonSteal Mobile
Mitigations

Mitigation direction

Mitigation Mobile

M1011: User Guidance

Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
c98316c3d87b7946...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle c98316c3d87b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Android DevicePolicyManager 2019

    Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019.

    Open source URL
  2. [2]
    mitre-attack T1630.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use