Chinese authorities using malware to extract data from seized phones

07/16/2025 Security

Security researchers have discovered that Chinese authorities are using a new piece of malware called Massistant to extract sensitive data from seized mobile phones. This tool, developed by Xiamen Meiya Pico, can grab text messages (even from encrypted apps like Signal), images, location history, audio recordings, and contacts. It's pretty comprehensive, which is raising some serious concerns.

The thing about Massistant is that it needs physical access to the phone. So, authorities would need to confiscate your device to use it. While we don't know exactly which police agencies are using it, it's assumed to be widespread, meaning anyone traveling to or living in China should be aware of the risks. As someone who values privacy, I find this quite alarming. Imagine having your personal data exposed simply because you crossed a border.

One of the researchers who analyzed the malware, Kristina Balaam, mentioned finding posts on Chinese forums where people complained about the malware appearing on their phones after interacting with the police. This suggests it's not just a theoretical threat; it's actually happening.

Massistant isn't super sophisticated, needing some sort of "plug and play" process. It requires the phone to be unlocked and works with a hardware tower connected to a computer. While there's no confirmed version for Apple devices, illustrations on Xiamen Meiya Pico's website suggest they might have one in the works. The scary thing is, police don't need to use complicated hacking techniques because, as Balaam pointed out, people often just hand over their phones.

Since 2024, Chinese state security police have had the legal authority to search phones and computers without a warrant, even without an active criminal investigation. This legal backing makes it even easier for them to use tools like Massistant. If you're going through a border checkpoint and your device is taken, you're essentially obligated to grant access.

Here's a bit of good news: Massistant leaves traces on the device. This means you might be able to identify and remove it, either as a visible app or using more advanced tools like Android Debug Bridge. However, the bad news is that by the time you detect it, your data is already in the hands of the authorities. It’s like closing the barn door after the horses have bolted.

Massistant is believed to be the successor to another tool called MSSocket, also from Xiamen Meiya Pico. This company holds a significant share of the digital forensics market in China and was even sanctioned by the U.S. government in 2021 for its role in supplying technology to the Chinese government.

Balaam also noted that Massistant is just one of many spyware and malware tools coming out of China. She described it as a "big ecosystem" of surveillance tech, with her team tracking at least 15 different malware families.