Chinese Mobile Forensic Tool Accesses SMS, Images, Audio, and GPS Data

Cybersecurity researchers at Lookout Threat Lab have uncovered a sophisticated mobile forensics application called Massistant, deployed by Chinese law enforcement to extract comprehensive data from confiscated mobile devices.

The tool represents a significant evolution from its predecessor MFSocket, incorporating advanced capabilities to bypass device security measures and collect sensitive information including SMS messages, images, audio files, GPS location data, contacts, and messaging app content.

The discovery raises critical security concerns for international business travelers and enterprise organizations, particularly as Chinese authorities have expanded their digital surveillance capabilities under new legislation introduced by the Ministry of State Security in 2024, which permits device collection and analysis without warrants.

Anecdotal reports suggest Chinese law enforcement has been systematically collecting and analyzing devices belonging to business travelers, with some cases revealing persistent surveillance modules that continue monitoring activity even after devices are returned to their owners.

Technical Architecture

Massistant operates as a client-side component within Meiya Pico’s broader Mobile Master forensics ecosystem, establishing communication with desktop forensics software through localhost port 10102, identical to its predecessor MFSocket.

The application requires physical device access for installation and was never distributed through official channels like Google Play Store, indicating its exclusive use by authorized law enforcement personnel.

The tool’s technical sophistication extends beyond simple data extraction. Upon installation, Massistant requests extensive permissions for accessing device GPS location data, SMS messages, images, audio files, contacts, and phone services.

The application includes multilingual support limited to Simplified Chinese and US English, suggesting its primary deployment targets both domestic Chinese users and international visitors.

When users attempt to exit the application, they receive notifications indicating the tool is in “get data” mode, effectively preventing termination during active forensics operations.

A critical advancement in Massistant involves the implementation of Accessibility Services through developer-designated “AutoClick” classes, designed to automatically bypass security prompts from device protection applications.

This capability allows the tool to circumvent security measures in applications like Miui Security Center, automatically granting necessary permissions without user intervention.

The latest version 8.5.7 introduces wireless connectivity through Android Debug Bridge over WiFi and the ability to download additional files to compromised devices via the native library libNativeUtil.so.

Corporate Background

Massistant’s development traces back to Xiamen Meiya Pico Information Co., Ltd., a publicly traded Chinese technology company controlling approximately 40% of mainland China’s digital forensics market share.

The company underwent a corporate restructuring in December 2023, changing its name to SDIC Intelligence Xiamen Information Co., Ltd., though signing certificates for both MFSocket and Massistant continue referencing the original Meiya Pico designation.

The forensics tool first emerged following reports by Chinese journalist Muyi Xiao in June 2019, who documented Chinese netizens discovering MFSocket installations on their devices after police encounters.

Cybersecurity researcher Baptiste Robert subsequently confirmed Meiya Pico’s involvement through analysis of signing certificates.

Chinese question-and-answer forums dating to mid-2020 contain user reports of Massistant installations, suggesting the tool’s deployment as MFSocket’s replacement coincided with Meiya Pico’s product line upgrades from V2 to V3 versions of their DC-4501, DC-4700, and FL-900 forensics systems.

Meiya Pico’s international reach extends beyond Chinese borders, with documented partnerships including Russian military contracts for forensics equipment and training programs for Belt & Road Initiative countries.

However, the company faced sanctions from the US Office of Foreign Assets Control in 2021 under the Chinese Military Companies Sanctions program, reflecting growing international concern over its surveillance capabilities.

The tool’s sophisticated self-destruction mechanism utilizing USBBroadcastReceiver attempts automatic uninstallation when devices disconnect from USB, though forum reports indicate occasional failures result in users discovering the application’s presence.

For enterprise security teams, Massistant’s existence on returned devices serves as a clear indicator of forensics compromise, even when the tool successfully removes itself.

Indicators of Compromise

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now