Rising in mid-2023 as an obvious successor to Meiya Pico’s infamous MFSocket, the newly recognized Android software Massistant has begun surfacing on confiscated handsets at Chinese language border checkpoints and police stations.
In contrast to standard spy ware that depends on covert distant supply, Massistant is put in bodily when a tool is in official custody, then pairs with a Meiya Pico “Cell Grasp” workstation to conduct a high-speed forensic dump.
Travellers report discovering the unfamiliar icon solely after their telephones are returned, whereas forensic analysts have traced each variant to a signing certificates belonging to Xiamen Meiya Pico Data Co., Ltd.—a agency now re-branded as SDIC Intelligence but nonetheless controlling roughly 40% of China’s digital-forensics market.
Lookout analysts famous the malware’s deliberate restriction to side-loading channels slightly than Google Play, guaranteeing it evades automated market vetting. As soon as launched, it instantly requests fine-grained permissions for GPS, SMS, digicam roll, microphone, contacts and telephony—permissions {that a} uniformed officer can readily grant through the transient inspection window.
Massistant then opens an area service on TCP/10102 and waits for the desktop consumer to ahead Android Debug Bridge (ADB) instructions throughout the USB hyperlink, harvesting knowledge partitions inside minutes.
The Massistant icon (prime) and MFSocket icon (backside) look equivalent (Supply – Lookout)
This illustrates the equivalent launcher icons reused from MFSocket, underscoring the code-base lineage confirmed by shared bundle names and an inside XML file actually titled “mfsocket.xml.”
MFSocket (prime) and Massistant (backside) bundle buildings are related, with further packages added for Massistant’s extra strong featureset (Supply – Lookout)
Whereas this captures packet traces of the localhost handshake that binds handset and workstation.
In contrast to commodity malware that stays resident for continued espionage, Massistant makes an attempt to erase its footprint the second the USB cable is eliminated.
A purpose-built USBBroadcastReceiver listens for the disconnect occasion and silently uninstalls the APK; nonetheless, anecdotal failures of this self-wipe reveal the device to end-users and gave researchers a trove of samples to reverse-engineer.
// Auto-removal routine extracted from Massistant v8.5.7
public class USBBroadcastReceiver extends BroadcastReceiver {
public void onReceive(Context ctx, Intent i) {
if (Intent.ACTION_USB_DEVICE_DETACHED.equals(i.getAction())) {
ctx.getPackageManager()
.setComponentEnabledSetting(
new ComponentName(ctx, getClass()),
PackageManager.COMPONENT_ENABLED_STATE_DISABLED,
PackageManager.DONT_KILL_APP);
Runtime.getRuntime().exec(“pm uninstall com.meyapico.massistant”);
}
}
}
An infection Mechanism and ADB Automation
Massistant’s most placing evolution is an “AutoClick” AccessibilityService that dismisses safety dialogs mechanically, guaranteeing permission grants even on hardened ROMs equivalent to MIUI.
The native library libNativeUtil.so additional exposes an ADB-over-Wi-Fi backdoor: as soon as the forensic laptop computer authenticates over USB, it might swap to the system’s WLAN interface, copy auxiliary binaries and proceed extraction untethered.
Throughout laboratory testing, Lookout researchers recognized hard-coded shell instructions (setprop service.adb.tcp.port 5555 adopted by cease adbd && begin adbd) that reopen ADB in TCP mode, a characteristic quietly marketed on Meiya Pico’s business web site as a 2024 “Cell Grasp Sequence” improve.
The mix of USB set up, Accessibility bypass, and transient ADB-over-Wi-Fi classes permits investigators to dump messages from Sign, Telegram and Letstalk—even when these apps encrypt native storage—earlier than scrubbing the forensic implant.
For company safety groups, the discovering underscores the significance of “journey mode” insurance policies that disable USB debugging, implement sturdy system encryption, and carry out post-trip integrity scans able to detecting residual artifacts such because the stray mfsocket.xml or cached SQLite extracts that Massistant often leaves behind.
Enhance detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Attempt ANY.RUN Now
