Security researchers at Lookout Threat Lab have spotted a mobile forensics application named Massistant, reportedly used by law enforcement in China to extract sensitive data from smartphones. Believed to be the successor to a 2019 surveillance tool called MFSocket, Massistant is not distributed through official app stores and requires physical access to a device for installation.
The tool is designed to gather extensive information, including GPS data, SMS messages, photos, contacts, and audio, after a user grants permission. Once launched, the app enters a data collection mode, warning users that exiting may cause errors. No further interaction is needed for the data extraction to proceed.
MFSocket first drew attention in June 2019 when journalist Muyi Xiao reported that Chinese police had installed the app on citizens’ phones. Cybersecurity researcher Baptiste Robert later confirmed that the app’s signing certificates linked it to publicly traded Chinese firm Xiamen Meiya Pico Information Co., Ltd.
Lookout researchers say Massistant resembles MFSocket in both design and function. The two share a significant portion of code, the same application icon, and even connect to a desktop forensics suite via the same local port (10102). Certificates associated with Massistant also reference Meiya Pico.
Samples of Massistant were collected between mid-2019 and early 2023. While the tool does not communicate with external servers, it operates through local port forwarding likely via Android Debug Bridge (ADB) to synchronize with forensic software on a desktop system.
“While at this time it does not appear that Massistant is capable of exfiltrating data from a device once it leaves the presence of its desktop counterpart, its existence on a device and any logging details or data files would indicate to a device owner that their mobile device data had been compromised if it was confiscated,” the researchers noted.
