Massistant: China’s New Mobile Forensics App Deepens Digital Surveillance

In an update to China’s expanding digital surveillance ecosystem, researchers at Lookout Threat Lab have uncovered a powerful mobile forensics application known as Massistant, believed to be a successor to the controversial MFSocket spyware used by Chinese law enforcement.

“These samples require physical access to the device to install, and were not distributed through the Google Play store,” Lookout reported, noting that installation typically follows confiscation at border checkpoints or law enforcement stops within China.

Massistant is designed for one purpose: extracting vast amounts of personal and corporate data from a user’s phone during temporary seizures by law enforcement. The app is part of what Lookout calls “a mobile evidence collection system,” which allows authorities to bypass user authentication and access files, messages, contacts, and even cryptocurrency wallets.

“In 2024, the Ministry of State Security introduced new legislation that would allow law enforcement personnel to collect and analyze devices without a warrant,” the report adds. This legislative move has enabled broader deployment of tools like Massistant.

Massistant is linked to Xiamen Meiya Pico Information Co., Ltd., a Chinese company previously associated with the MFSocket surveillance tool. Public documentation and certificate metadata tie both applications to Meiya Pico, which changed its name in 2023 to SDIC Intelligence Xiamen Information Co., Ltd.

“Massistant exists as a clear iteration upon the older MFSocket version 5.0… many of the commands found in early MFSocket versions have been included in Massistant,” the report explains.

Lookout notes that both tools open a localhost connection on port 10102, likely using Android Debug Bridge (ADB) to interface with a desktop forensic companion. This allows police or border agents to control the phone via a connected forensic workstation.

Massistant introduces several new and concerning capabilities:

• AccessibilityService abuse via a class called “AutoClick” to bypass security prompts automatically.
• WiFi-based ADB access, enabling remote installation of additional surveillance modules using native libraries like libNativeUtil.so.
• Expanded message extraction from third-party encrypted messengers, including Signal and Letstalk, beyond the Telegram support found in MFSocket.
• Stealth self-removal through a USB disconnect trigger, intended to erase evidence of surveillance once the device is returned to the user.

Despite these enhancements, Lookout clarified that the app does not appear to exfiltrate data remotely after the forensic session ends. However, its mere presence on a device — especially when discovered by the owner — signals that deep data extraction has occurred.

Adding to the concern, Chinese users on forums like Zhidao and Zhihu have reported being warned not to remove the Massistant app from their phones after inspection. One user even referenced the Ministry of Public Security, alleging the app’s removal was considered illegal — although Lookout found no public source confirming that.

“Forum posts date back to mid-2020, which seems to support the hypothesis that this tool was introduced to replace the MFSocket mobile component in Meiya Pico’s ‘Mobile Master’ ecosystem,” the report writes.

Meiya Pico isn’t just operating domestically. The company has exhibited products at INTERPOL World, provided surveillance tools to Russia’s military investigative directorate, and offered training to Belt & Road Initiative partner nations. Though some sales — like those to Russia — were later annulled due to fraud, the global reach of their mobile forensics tools is well-documented.

In 2021, the U.S. government sanctioned Meiya Pico under Executive Order 13959, labeling it a Chinese military company that poses a threat to national security.

Related Posts:

• Lookout: Mobile phishing increase 85% over year for the past five years
• Designed for government: hackers sell Dark Caracal spyware platform
• Android app from China exploited 0-day CVE-2023-20963 flaw
• Gamaredon APT Deploys Two Russian Android Spyware Families: BoneSpy and PlainGnome