Researchers at Lookout Threat Lab have recently uncovered “Massistant,” an advanced Android-based mobile forensics application actively deployed by Chinese law enforcement to extract sensitive information from mobile devices.
The tool is considered the direct successor to “MFSocket,” an earlier forensics solution developed by the publicly listed firm Xiamen Meiya Pico Information Co., Ltd., now known as SDIC Intelligence Xiamen Information Co., Ltd.
First identified on Chinese social media in 2019 and corroborated through technical analysis, MFSocket had become notorious for allowing police to collect device-level evidence at border checkpoints and during police stops via physical access to the device.
The emergence of Massistant marks a significant evolution in mobile forensics capabilities within mainland China, building upon and expanding the feature set of its predecessor.
Data Collection Capabilities
Massistant is not distributed via conventional application stores but requires installation through physical device access, typically at the hands of authorities.
Upon launch, the application requests a comprehensive suite of permissions: access to GPS location, SMS messages, contacts, call logs, images, and audio files.
The forensic tool is designed to operate in conjunction with proprietary desktop software specifically, the Meiya Pico “Mobile Master” ecosystem establishing communication via localhost over port 10102, mirroring the architecture of MFSocket.
The application leverages Android Debug Bridge (ADB) and port forwarding to facilitate seamless data extraction while the device is connected via USB.
Unlike typical spyware, Massistant does not maintain persistent internet-based command and control infrastructure; its primary data exfiltration occurs during direct USB connections.
Massistant also employs sophisticated methods such as Android Accessibility Services, labeled internally as “AutoClick,” to automatically overcome device security prompts and expedite permission acquisition.
This tactic can bypass certain security controls, including those implemented by security-centric Android environments like Xiaomi’s MIUI Security Center.
Furthermore, Massistant enhances third-party messaging data collection, expanding beyond Telegram (as supported by MFSocket) to include Signal and Letstalk.
International Implications
Once exfiltration is complete and the USB connection is severed, Massistant is programmed to self-delete using a BroadcastReceiver, reducing its likelihood of post-analysis discovery.
Nonetheless, reports from Chinese Q&A forums indicate that unsuccessful uninstallation events have allowed users to detect the application on returned devices.
Notably, the app included only two non-system default language options: Simplified Chinese and US English, indicating a focus on both domestic and international targets.
The introduction of Massistant occurs alongside legislative shifts specifically, a 2024 law empowering Chinese police to analyze confiscated devices without a warrant which heightens the risk for business travelers and expatriates.
Lookout researchers have documented anecdotal evidence of business travelers’ devices being persistently compromised, sometimes with “headless” surveillance modules remaining after return.
Meiya Pico, recently rebranded as SDIC Intelligence, controls approximately 40% of the digital forensics market in China and maintains an international presence, with past sales reaching Russian military and participation in Belt and Road forensic training programs.
In 2021, the company was sanctioned by the US government for ties to Chinese military intelligence activities. Chinese authorities reportedly advise against manual uninstallation of forensic tools like Massistant, with references surfaced on local forums, although no direct documentation was found on government sites.
Indicators of Compromise (IoC)
| SHA1 |
|---|
| 895ad87f382de53f7323117b47150eaf0550cbf4 |
| 7a6d81b19425d985270121c46368c9ac12ed1b26 |
| 14c29a0e44076c88b177193650a9d4567291d0ea |
| 256c357f884f33c032d2352ee6ff73fe94da83a8 |
| 91a6e8769be93f625f239f9c8bad82545c936f20 |
| ceb3b0c6dc703c76d274f4862d98b4f054536518 |
| 66ef2c18178d8988a210d09b17f3b23394306b40 |
| 4cc68d1538c372a31d2989e04f1c0726a66ebb7a |
| e5d4685ceedc44184ae0d249269a94018c88a4ff |
| 0275f283ce280f717a2674d82aaf1cb562c3b90c |
| 215bd2972c5598787addad911915b9a04932d68d |
| 990004827ec2b08b52afd0df5750cfed502dbc1c |
| df4c8bccadf71d5c29a7a92d40fee4629fe7a384 |
| 93c5cd3a0bb04012927ccd29e505772492fcfbee |
| 8659920f99a96c294c9857a761ce0729f3a8f2f7 |
| 71fc752af7d108b7aede7d17ec7dae3a9cbb3470 |
| 4b30d1d9d4a1e4571d4cd7aaeb91aee192a7a512 |
| 1c6e67c6f1c9b6a332d844b772af3ef9e5e8d8dd |
| f22eea7248d023f74f631a8812115bf4981df2e7 |
| 2458fa6f7b0faf662a940ab92a1f144b2c384ce4 |
| f514f711b4b83d3cf2a4b4c602483a120b448f63 |
| 7ec4f46df0bb9fca801719b7f67f642bdd0a9e97 |
| c17e9325a6932ff8b725b18e4ddcb6dadab99457 |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
![Pinterest](https://pinterest.com/pin/create/button/?url=https://cyberpress.org/massistant-chinese-forensic-tool/&media=https://i2.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrWBpSArxlv9aRb33XwjpTJ6P0jNoPwxpDDHx5Wv3s_qLku96ZvwwVFjYjztSbzW8n9tOB3MGTemN4A8k0JyFk-QhrlH_yr7DgB4jfpr9WGlGvX2hDkqwgoDULZezgf-Mk8WykDMmx0VWlVVROEvwh_WiN23EyE4NoxeGI3qLk79sIIFwPBkx8m5IMHdI/s16000/Mobile%20Devices.webp?w=1200&resize=1200,0&ssl=1&description=Researchers at Lookout Threat Lab have recently uncovered "Massistant," an advanced Android-based mobile forensics application.){kind=link}