Lookout has shared technical information on Massistant, a mobile forensics tool that law enforcement in China uses to collect information from mobile devices.
The application is believed to be the successor of MFSocket, a tool that was analyzed in 2019, and which was used by the country’s police for the same purposes.
Both applications require physical access to the device to be installed, and are developed by Chinese surveillance specialist Xiamen Meiya Pico Information, which was sanctioned by the US government in December 2021.
Between 2019 and 2023, after MFSocket was ousted and analyzed, Lookout collected multiple Massistant samples signed with Android certificates referencing Meiya Pico. Together with forum posts mentioning the new tool, this suggests that Massistant is a replacement for MFSocket.
Both work in tandem with desktop forensics software to retrieve information from mobile devices, and appear to establish connection over a port forwarding service.
These forensics tools, Lookout explains, are used by law enforcement to collect sensitive data from devices confiscated from individuals of interest, including executives and employees traveling abroad.
“In some cases, researchers have discovered persistent, headless surveillance modules on devices confiscated and then returned by law enforcement such that mobile device activity can continue to be monitored even after the device has been returned,” the mobile security firm notes.
Upon execution, Massistant asks for access to phone services, contacts, SMS messages, images, audio, and GPS location. After this, no other user interaction is required, and the application enters a “get data” mode.
Massistant and MFSocket include similar commands, have the same icon, and share functionality. Furthermore, their code overlaps extensively and both contain functionality to uninstall themselves when the device is disconnected from USB, albeit this action has failed in multiple cases.
According to Lookout, Massistant does not appear capable of exfiltrating device data absent its desktop counterpart, but “its existence on a device and any logging details or data files would indicate to a device owner that their mobile device data had been compromised if it was confiscated.”
The newer mobile forensics utility also contains a function to automatically bypass conditions in certain security software, the ability to connect using Android Debug Bridge over Wi-Fi and to fetch additional files, and support for collecting data from the Letstalk, Signal, and Telegram messaging applications.
Meiya Pico, which changed its name to SDIC Intelligence Xiamen Information in December 2023, often advertised its involvement in national and international law enforcement product exhibitions, and has reportedly sold forensics and surveillance products to Russian military intelligence.
“Travel to and within mainland China carries with it the potential for tourists, business travelers, and persons of interest to have their confidential mobile data acquired as part of lawful intercept initiatives by state police,” Lookout notes.
Related: China’s Salt Typhoon Hacked US National Guard
Related: TikTok Faces Fresh European Privacy Investigation Over China Data Transfers
Related: China’s Salt Typhoon Hackers Target Canadian Telecom Firms
Related: Cooperation or Competition? China’s Security Industry Sees the US, Not AI, as the Bigger Threat
