Threat Research

Lookout Discovers Massistant Chinese Mobile Forensic Tooling

Lookout
Lookout Discovers Massistant Chinese Mobile Forensic Tooling

Researchers uncovered a Chinese mobile forensics application named Massistant used by law enforcement to extract data from confiscated devices, believed to be the successor to MFSocket. Massistant employs advanced techniques like Accessibility Services and connects via Android Debug Bridge over WiFi, posing risks to travelers’ mobile privacy. #Massistant #MFSocket #MeiyaPico

Keypoints

  • Massistant is a mobile forensics application used by Chinese law enforcement to collect extensive device data, requiring physical access for installation.
  • It is considered the successor to the earlier MFSocket tool, with shared codebase, icons, and similar functionality, both developed by Xiamen Meiya Pico Information Co., Ltd.
  • Massistant introduces new features including the use of Accessibility Services to bypass security prompts and the ability to connect and transfer files via Android Debug Bridge over WiFi.
  • The application collects sensitive data such as GPS location, SMS, images, audio, contacts, and supports additional messaging apps like Signal and Letstalk beyond Telegram.
  • It is typically deployed alongside desktop forensics software, communicating over localhost port 10102, without direct internet connectivity from the mobile device.
  • Massistant attempts to uninstall itself automatically when disconnected from USB, but residual presence has led to user reports on Chinese Q&A forums.
  • Xiamen Meiya Pico is a major Chinese digital forensics company linked to law enforcement and military clients, also sanctioned by the U.S. government in 2021.

MITRE Techniques

  • [T1408] Accessibility Features – Massistant uses Accessibility Services (‘“AutoClick” – an attempt to automatically bypass conditions in certain device security applications…’) to automatically grant permissions and bypass device security prompts.
  • [T1046] Network Service Scanning – The application connects to Android Debug Bridge over WiFi (‘latest version… introduces the ability to connect… using the Android Debug Bridge over WiFi…’).
  • [T1074] Data Staged – Massistant stages extracted data locally for transfer via a companion desktop system (‘does not connect to a server, rather to localhost over the same port…’).
  • [T1537] Boot or Logon Autostart Execution – The application automatically installs on confiscated devices and prompts for persistent permissions (‘if the user attempts to exit the application they receive a notice that the application is in “get data” mode…’).
  • [T1562] Impair Defenses – Employs techniques to bypass device security permissions via Accessibility Services (‘attempt to automatically bypass conditions in certain device security applications’).
  • [T1574] Hijack Execution Flow – Uses BroadcastReceiver to uninstall itself when USB is disconnected (‘uses a USBBroadcastReceiver to uninstall itself from the device…’).

Indicators of Compromise

  • [File Name] Mobile forensics application – Massistant.apk, MFSocket.apk
  • [Port] Localhost communication port – port 10102 used for data extraction communication
  • [Company] Developer signing certificate – referencing Xiamen Meiya Pico Information Co., Ltd.
  • [Library] Native library for WiFi ADB functionality – libNativeUtil.so

Read more: https://www.lookout.com/threat-intelligence/article/massistant-chinese-mobile-forensics