Hey, look at this! In 2 of the 3 certificates we can find the name of the Meiya Pico company. Muyi was right, we can say with a high probability that Meiya Pico is behind MFSocket. It’s time for fun and see what this app is made of!

AndroidManifest.xml

When you analyse an Android app you should always start by looking at the AndroidManifest.xml. Without looking at the code, it will give you an idea of what the app is doing. First, the permissions.

MFSocket permissions

This app is asking a lot of dangerous permissions:

- Read your call log, your contacts, your SMS, your calendar, your SD card

- Disable the lock screen

- Access your location

- Install a new app without your consent

- …

Having so much dangerous permissions in the same app is a first alarm.

MFSocket AndroidManifest

Another alarm! This app, ask a lot of dangerous permissions, but is only made of an activity and a receiver. Moreover, we can see that the activity doesn’t have the category launcher which means that this app doesn’t have an icon. So how the police is launching the app without an icon? By using the Windows software we saw above in the troubleshoot guide!

File hierarchy

File hierarchy of MFSocket

Please note that the code was obfuscated, I renamed everything to the original names.

By only looking at the image above, we already have a lot of information:

- MsgModule package: We have the confirmation that this app is a surveillance tool. The file names show that this app use all the dangerous permissions mentioned in the AndroidManifest,xml

- Server package: It’s running a server

- Xiaomi package: Something special is done/needed with Xiaomi phones

- CmdParser file: It’s able to receive and parse command

- USBBroadcastReceiver file: Something is happening when the policeman plug/unplug the victim’s phone from his computer

Communication Analysis

Did you notice? This app run a server and receive commands. In general, this is the opposite, an Android app is sending data to a server not the opposite.

startServer method

In the startServer method, MFSocket is opening locally the port 10102 of your phone and wait a command.

Port 10102 is open

As expected, I launched the app and locally the port 10102 was open. We have another info, this is something local, this tool is not made to send remotely a command to the victim’s phones.

Available commands

The name of the available commands are clear. With this app, the policeman is able to get contacts, sms, call log, locations, apps, audio files, image files, calendar events, …

USBBroadcastReceiver

It’s very rare to see a receiver for USB events. An end user application don’t need that in general. So why do they need it in this case?

USBBroadcastReceiver

This is cristal clear, when the policeman unplug the victim’s phone from his computer, the app will uninstall itself. No trace left. This is sneaky.

MsgModule Package

I already mentioned a lot what type of data this app is able to extract. Let see some of the MsgModule.

AudioMsgModule

In AudioMsgModule, they will be interested by the title, album, artist, the date you added the audio file, …

CalendarMsgModule

In CalendarMsgModule, they are extracting all the information contained in your calendar: title of the event, location, description, start time, end time, …

SmsMsgModule

Obviously in SmsMsgModule, they take all your SMS with the meta data: person, address, date, protocol, …

ContactsMsgOS20Module

In ContactsMsgOS20Module, they are after your Telegram contacts.

Final Scenario

Imagine you are a Chinese citizen, your company asked you to go the police station.

You: Hi Mr Policeman!

Policeman: Hi! May I have your phone?

You: Sure. Here it is

Policeman: Can you unlock it?

You: Sure of course

Policeman: Sit down here and wait

Meanwhile the policeman is going to his desk, plug your phone to his computer. He is using the Meiya Pico Windows software to install MFSocket. When the install is complete, with one click he is extracting all your personal data from your phone. Few minutes later, the extraction is successful. The officier unplug your phone from his computer, the app will uninstall itself.

Policeman: You can take your phone. Thank you for your collaboration.

You: Thank you sir. Have a nice day!

Policeman: You too.

Conclusion

This is sick and this is not a fictional scenario. This is the reality.

Ask yourself these questions:

- Did you notice the level of the details in the extracted data, why do they need so much data?

- After the extraction by the policeman, where do they send this data?

- Imagine this scene, in your country. Scary, right?

Update 26/06/19: The awesome Victor Gevers published a Twitter thread about MFSocket for iOS

MFSocket for iOS

If you like this article, feel free to follow me on Twitter