Recent findings by security researchers reveal that Chinese authorities are utilizing a sophisticated new type of malware to extract sensitive data from seized mobile phones. This malware enables the retrieval of a variety of personal information, including text messages from popular chat applications like Signal, images, location histories, audio recordings, and contact details.
On Wednesday, Lookout, a mobile cybersecurity company, released an exclusive report detailing this hacking tool known as Massistant. Developed by the Chinese tech giant Xiamen Meiya Pico, Massistant is designed as Android software for the forensic extraction of data from mobile devices. For authorities to utilize this tool effectively, they must have physical access to the targeted devices.
While Lookout has not definitively identified which specific Chinese police agencies are employing Massistant, it is believed to be in widespread use. This raises significant concerns for both Chinese citizens and international travelers who may find themselves at risk of having their devices compromised. Kristina Balaam, a researcher at Lookout, emphasized the urgency of this issue: "It’s a big concern. I think anybody who’s traveling in the region needs to be aware that the device they bring into the country could very well be confiscated and anything that’s on it could be collected,” she stated in an interview with TechCrunch.
Balaam's research indicated that numerous posts on local Chinese forums have emerged, where users express concerns about discovering the malware on their devices after encounters with law enforcement. "It seems to be pretty broadly used," Balaam noted, reflecting on the widespread nature of the tool based on discussions within these forums.
Massistant requires installation on an unlocked device and operates alongside a hardware tower that connects to a desktop computer. According to information and illustrations from Xiamen Meiya Pico's website, the malware may also have an iOS version, although Lookout has not been able to analyze any Apple-compatible version.
Chinese authorities do not need advanced techniques to deploy Massistant. In fact, users often willingly hand over their devices during interactions with law enforcement, as highlighted by Balaam. This ease of access is facilitated by a legal framework that allows state security police to search phones and computers without a warrant or active criminal investigation since 2024. Balaam explained, "If somebody is moving through a border checkpoint and their device is confiscated, they have to grant access to it." This legal backing removes the need for exploiting software vulnerabilities, commonly referred to as zero-days.
Fortunately for users, Massistant leaves traces of its installation on compromised devices, enabling potential identification and removal of the malware. Users may find the hacking tool listed as an app or use advanced tools like the Android Debug Bridge (ADB) to connect and manage their devices. However, it is crucial to note that by the time Massistant is detected, the damage may already be done, as authorities would have accessed sensitive personal data.
According to Lookout, Massistant is the successor to an earlier mobile forensic tool, MSSocket, also developed by Xiamen Meiya Pico and analyzed by security researchers in 2019. Xiamen Meiya Pico holds a significant 40% share of the digital forensics market in China and was sanctioned by the U.S. government in 2021 for its involvement in providing technology to the Chinese government.
Balaam further pointed out that Massistant is just one of many spyware and malware tools developed by Chinese surveillance technology manufacturers, referring to it as part of "a big ecosystem" of digital threats. Lookout is actively monitoring at least 15 different malware families operating within China, underscoring the ongoing challenge posed by these surveillance technologies.
