Massistant – Uncovering SMS, Media, and GPS Data with Chinese Mobile Forensics Tool

Researchers at Lookout Threat Lab have discovered a sophisticated mobile forensics application named Massistant, used by Chinese law enforcement to extract extensive data from confiscated mobile devices.

This tool represents a significant evolution in mobile surveillance capabilities, building upon its predecessor, MFSocket, to access SMS messages, GPS location data, images, audio files, contacts, and phone services from targeted devices.

Advanced Successor to MFSocket Surveillance Tool

Massistant appears to be the successor to MFSocket, a mobile forensics tool first reported in 2019 and attributed to publicly traded cybersecurity company Meiya Pico.

The application requires physical access to install and operate in conjunction with desktop forensics software, connecting through localhost port 10102 to facilitate data extraction.

Unlike its predecessor, Massistant introduces enhanced capabilities, including Accessibility Services to automatically bypass device security prompts and support for additional messaging platforms beyond Telegram, now including Signal and Letstalk.

The forensics tool utilizes a feature developers refer to as “AutoClick” functionality, which is designed to automatically grant permissions and circumvent security applications, such as the MIUI Security Center.

When launched, users receive permission requests for accessing critical device functions, with the application displaying warnings in both simplified Chinese and English that exiting would result in errors during “get data” mode.

Technical Capabilities and Self-Destruction Features

Technical analysis reveals that Massistant version 8.5.7 incorporates advanced features including Android Debug Bridge connectivity over WiFi and the ability to download additional files to compromised devices through a native library called libNativeUtil.so.

The application maintains nearly identical code structure to MFSocket, sharing the same application icon and containing an XML resource file named “mfsocket.xml.”

A critical technical feature involves automatic self-destruction upon disconnection from the USB port.

Massistant employs a USBBroadcastReceiver to uninstall itself when the device disconnects from USB; however, researchers note that this mechanism sometimes fails, leading to the discovery of the app by device owners on Chinese social media platforms.

International Implications and Corporate Connections

Meiya Pico, the company behind these surveillance tools, controls approximately 40% of China’s digital forensics market and maintains partnerships with domestic and international law enforcement agencies.

The company has provided training programs for countries participating in China’s Belt and Road Initiative.

It has been sanctioned by the US Government Office of Foreign Assets Control under the Chinese Military Companies Sanctions.

For international travelers, particularly business executives visiting mainland China, these tools represent significant privacy risks.

Border patrol policies that allow for device confiscation create opportunities for law enforcement to install forensic applications, potentially compromising sensitive corporate and personal data.

The 2024 Ministry of State Security legislation further expanded law enforcement capabilities to collect and analyze devices without warrants, heightening concerns for international visitors and business travelers operating in Chinese territories.