T1662: Data Destruction

Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.

To achieve data destruction, adversaries may use the `pm uninstall` command to uninstall packages or the `rm` command to remove specific files. For example, adversaries may first use `pm uninstall` to uninstall non-system apps, and then use `rm (-f) ` to delete specific files, further hiding malicious activity.[1][2]

MobileT1662TechniqueObject v1.0 Modified May 12, 2026, 15:12 UTC (UTC+00:00)

Data Destruction (T1662) matters because a compromised Android device can move from espionage or access abuse into availability loss: apps and files may be removed in ways that disrupt work and reduce forensic recoverability. For leaders, the key question is not only whether mobile malware can be found, but whether the organization can preserve evidence, restore affected devices, and prove mobile data resilience after destructive activity.

Executive priority

Prioritize this where Android devices support regulated workflows, executive communications, field operations, financial activity, or other business-critical mobile use. The ATT&CK relationships show multiple mobile malware families associated with this behavior, so mobile security planning should include destructive outcomes, not just data theft. Executives should ask whether mobile backups, device re-enrollment, user guidance, incident triage, and audit evidence are sufficient when apps or local files are intentionally removed.

Technical view

This is an Android mobile technique with no ATT&CK tactic specified and no official detection text provided. The description highlights package uninstallation and file removal behavior using native commands, so SOC and IR teams should validate whether mobile telemetry can show unexpected application uninstall events, suspicious file deletion activity, changes to app inventory, and post-incident recovery state. The related DET0671 detection strategy indicates detection content exists in ATT&CK context, but the supplied fields do not provide its logic; teams should map any local analytics to observable Android uninstall/delete behavior and to known mobile malware relationships such as BRATA, LightSpy, RatMilad, and SameCoin without assuming those threats are present.

Likely telemetry

Android MDM/UEM app inventory and uninstall history
Mobile threat defense or EDR alerts for suspicious native command execution where available
Device file deletion or storage-change telemetry where available
Application install/uninstall package management events
Backup, restore, and device re-enrollment records

Detection direction

Confirm whether Android fleet monitoring records application removals, not just malware detections.
Tune for unusual or rapid uninstall activity, especially removal of non-system apps or security/business applications, while accounting for legitimate user-initiated uninstall and IT lifecycle actions.
Validate whether file deletion activity is visible on managed Android devices; many environments may have limited endpoint-level file telemetry.
Correlate destructive mobile behavior with prior suspicious mobile activity, C2 or spyware indicators, and affected user risk, but do not rely on attribution to a named malware family without local evidence.
Use the related DET0671 strategy as a reference point, but require local testing because the official detection field for this technique is not supplied.

Mitigation priorities

Strengthen user guidance for risky mobile behaviors and configuration choices, consistent with related mitigation M1011.
Ensure managed Android devices have enforceable app controls, backup expectations, and rapid reprovisioning procedures appropriate to business criticality.
Prioritize MDM/UEM visibility into app inventory changes and device compliance drift.
Define IR playbooks for destructive mobile events, including evidence preservation before wipe/rebuild when feasible.
Regularly test restoration of mobile business data and access so destructive activity does not become an extended operational outage.

Analyst notes and limits

The business impact is availability and recoverability on Android devices. The strongest defensive value is validating whether the organization can see uninstall/delete behavior and recover quickly. Relationship context links this technique to several software entries, including BRATA, LightSpy, RatMilad, and SameCoin, but those relationships should be treated as threat-intelligence context rather than proof of local exposure.

ATT&CK provides no official detection details and no tactic for this object in the supplied fields. Telemetry availability varies widely by Android version, device management model, and whether mobile threat defense or endpoint-level logging is deployed. Local environment evidence is required to assess coverage, false positives, and recovery readiness.

Official MITRE ATT&CK definition

Data Destruction

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

S1094: BRATA

BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.[1][2][3]

Android

S9030: SameCoin

SameCoin is a multi-platform wiper with Windows and Android versions that has been used by WIRTE to target entities in the Middle East including in Israel.[1]

WindowsAndroid

S1241: RatMilad

RatMilad is an Android remote access tool (RAT) with spyware functionality that has been used to target enterprise mobile devices in the Middle East since at least 2021. Variants of RatMilad have been disguised as VPN applications and a fake app named NumRent. Upon installation, RatMilad employs multiple Collection techniques to collect sensitive information before uploading the collected data to its command and control (C2) server. [1]

Android

S1185: LightSpy

First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.[1]

AndroidWindowsiOS

Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0671: Detection of Data Destruction Mobile uses · Malware S1094: BRATA Mobile mitigates · Mitigation M1011: User Guidance Mobile uses · Malware S9030: SameCoin Mobile uses · Malware S1241: RatMilad Mobile uses · Malware S1185: LightSpy Mobile

Mitigations

Mitigation direction

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Sep 22, 2023, 19:09 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: e163b56fa2f91355...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`e163b56fa2f9…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
rootnik_rooting_tool

Hu, W., et al. (2015, December 4). Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information. Retrieved September 26, 2023.
Open source URL
[2]
abuse_native_linux_tools

Surana, N., et al. (2022, September 8). How Malicious Actors Abuse Native Linux Tools in Attacks. Retrieved September 26, 2023.
Open source URL
[3]
mitre-attack T1662
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use