Cybersecurity experts in three different separate research have confirmed the existence of a new surveillance tool used by Chinese police to spy on their citizen, including a new technique that they employ to collect alarming amounts of data.
The tool, MFSocket, can be installed in both Android and iOS devices but not by the users — but by the police. This means that for the tool to be installed on the user’s phone, they have to contact the police, go to the police station, and have them install the app for them.
This part of the technique was figured out by a Chinese journalist, Muyi Xiao, who posted in her twitter account a thread on an Android application called MFSocket. According to the journalist, people in Chinese social networks have been reporting incidents of police checking people’s phone in Beijing and Shanghai, and her investigation leads her to the questionable application.
The journalist said that when she performed a Google search for the app, a warning can be seen: “When the police check the phone, it will be installed for you: Mfsocket.”
“Yesterday, the company asked us to go to the police station, and then the police installed a software called MFsocket. I thought it was monitoring software!” she wrote in her Twitter account.
Following her investigation, Muyi discovered that MFSocket was developed by a company named Meiya Pico, a discovery that was later confirmed by subsequent research conducted by other tech experts. In the past, Meiya Pico has been exposed as a Chinese firm who sell forensics products to the Chinese authorities.
How does the MFSocket work?
For starters, as earlier mentioned, the app has to be installed by a police officer inside the police station. This is the reason why it makes sense why the police seems to use Windows to operate the app.
Through another investigation conducted by Elliot Alderson from Medium, it was discovered that the app requires a plethora of permissions to work. It requires the user to allow the app to Read call logs, access contacts and SMS, read calendar entries, access SD card, disable the lock screen, access your location and install a new app without the user’s consent .
“Having so much dangerous permissions in the same app is the first alarm,” Alderson said. “Another alarm! This app, ask a lot of dangerous permissions, but is only made of activity and a receiver,” he added.
The researcher also raises the question of why the app doesn’t have an icon. The app icon is the logo of the app that allows users to click so they can launch the said app.
“So how the police are launching the app without an icon? By using the Windows software we saw above in the troubleshoot guide!”
Furthermore, Alderson discovered that the app has a USBBroadcastReceiver which he said is “very rare,” and the end user doesn’t need it, which raises the question of why the app has it.
Further analysis of the app and its codes revealed that the communication system is different from general applications. Instead of a server sending communication to the app and vice versa, the MFSocket is not receiving any communications from the Window’s server and are only sending it data.
All of these discoveries point to one thing: that the police is plugging users’ phone in the Windows server, collect data from the phone, unplug it and automatically deletes the app after everything is done.
What kind of data is being collected?
According to Alderson, the type of communication system used in the app allows policemen to collect sensitive data from users without them knowing. These data includes contacts, SMS, call log, locations, apps, audio files, image files, calendar events, among others.
Additionally, the data collected by the police aren’t just simple data. Alderson also discovered that the app includes data modules which allow the app to dive deep into the phone to extract detailed information. In AudioMsgModule, they collect the title, album, artist, the date a user added the audio files that are saved in the user’s phone. In CalendarMsgModule, they are extracting all the information contained in a users’ calendar: title of the event, location, description, start time, end time, and many others.
It works with iPhones too
While Alderson’s analysis is limited to Android devices, a similar investigation by Victor Gevers, a tech researcher from GDI.Foundation, yielded similar results with iOS devices, which he also documented in his Twitter account.
“The MFSocket.ipa (part of the Meiyapico’s Phone Forensics System) can extract data from iPhones which gets installed in MobileMaster\Mobile Support\BaseTool\iPhone\iPA\Enterprise directory and requires to be manually “trusted” accepted in Profiles & Device Management,” he wrote.
Gevers revealed that the MFSocket.ipa has already be considered by VirusTotal as malware.