Cybersecurity researchers have shed light on a mobile forensics tool called Massistant that’s used by law enforcement authorities in China to gather information from seized mobile devices.
The hacking tool, believed to be a successor of MFSocket, is developed by a Chinese company named SDIC Intelligence Xiamen Information Co., Ltd., which was formerly known as Meiya Pico. It specializes in the research, development, and sale of electronic data forensics and network information security technology products.
According to a report published by Lookout, Massistant works in conjunction with a corresponding desktop software, allowing for access to the device’s GPS location data, SMS messages, images, audio, contacts, and phone services.
“Meiya Pico maintains partnerships with domestic and international law enforcement partners, both as a surveillance hardware and software provider, as well as through training programs for law enforcement personnel,” security researcher Kristina Balaam said.
Massistant requires physical access to the device in order to install the application, meaning it can be used to collect data from confiscated devices from individuals when stopped at border checkpoints.
Lookout said it obtained Massistant samples between mid-2019 and early 2023 and that they were signed with an Android signing certificate referencing Meiya Pico.
Both Massistant and its predecessor, MFSocket, work similarly in that they need to be connected to a desktop computer running forensics software to extract the data from the device. Once launched on the phone, the tool prompts the users to grant it permissions to access sensitive data, after which no further interaction is required.
“If the user attempts to exit the application they receive a notice that the application is in ‘get data’ mode and exiting would result in some error,” Balaam explained. “This message is translated to only two languages: Chinese (Simplified characters) and ‘US’ English.”
The application is designed such that it’s automatically uninstalled from the device when it is disconnected from a USB. Massistant also expands on MFSocket’s features by including the ability to connect to a phone using the Android Debug Bridge (ADB) over Wi-Fi and to download additional files to the device.
Another new functionality incorporated into Massistant is to collect data from third-party messaging apps beyond Telegram to include Signal and Letstalk, a Taiwanese chat application with more than 100,000 downloads on Android.
While Lookout’s analysis focuses mainly on the Android version of Massistant, images shared on its website show iPhones connected to its forensic hardware device, suggesting that there is an iOS equivalent to pull data from Apple devices.
The fact that Meiya Pico may also be focused on iOS devices stems from the various patents filed by the company related to gathering evidence from Android and iOS devices, including voiceprints for internet-related cases.
“Voiceprint features are one of the important biological features of the human body, and can uniquely determine the identity of a user,” according to one patent. “After the voiceprint library is built, a plurality of police seeds can be directly served, and the efficiency and the capability of detecting and solving a case of a related organization can be effectively improved.”
The digital forensics firm’s involvement in the surveillance space is not new. In December 2017, The Wall Street Journal reported that the company worked with police officials in Ürümqi, the capital of Xinjiang Uyghur Autonomous Region in Northwestern China, to scan smartphones for terrorism-related content by plugging them into a handheld device.
Four years later, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Meiya Pico for enabling the “biometric surveillance and tracking of ethnic and religious minorities in China, particularly the predominantly Muslim Uyghur minority in Xinjiang.”
“Travel to and within mainland China carries with it the potential for tourists, business travelers, and persons of interest to have their confidential mobile data acquired as part of lawful intercept initiatives by state police,” Lookout said.
The disclosure comes a couple of months after Lookout unearthed another spyware called EagleMsgSpy that’s suspected to be used by Chinese police departments as a lawful intercept tool to gather a wide range of information from mobile devices.
