Inside China’s Phone-Seizing Malware—and How Corporate Security Is Adapting

When Chinese police seize your phone, they don’t need a password—or a warrant—to get what they want. Thanks to new forensic malware known as Massistant, authorities can extract troves of personal data from Android phones, including encrypted chats, location histories, audio files, and more. The tool, built by Chinese surveillance tech company Xiamen Meiya Pico, underscores the expanding scope of state surveillance and the stark reality for both Chinese citizens and foreign travelers: privacy is no longer a given.

Massistant isn’t some high-end spyware requiring zero-day exploits or remote exploits to function. It needs only one thing—physical access. Once a phone is unlocked and in the hands of the authorities, the malware does the rest, harvesting sensitive information through a hardware-software combo that connects devices to a desktop extraction system. It even appears capable of targeting iPhones, although researchers haven’t yet analyzed an iOS version.

Security researchers at Lookout, who examined the malware, say its usage is widespread—supported by complaints from local Chinese forum users who discovered the software on their phones after encounters with police. But while the technical capabilities of Massistant are concerning, cybersecurity experts are more focused on how to protect against such threats in real-world scenarios, especially for businesses operating internationally.

“No Expectation of Privacy”

Randolph Barr, Chief Information Security Officer at Cequence, has a blunt take: “In China, individuals — whether citizens or visitors — have no expectation of privacy.” That legal backdrop, coupled with China’s 2024 legislation giving police warrantless search powers, creates a uniquely hostile environment for digital privacy.

“Authorities are within their rights to inspect and extract data from mobile devices, and individuals are legally required to comply with their instructions,” Barr explains. “Tools like Massistant make it even easier for officials to extract a wide range of data from Android phones once they are unlocked — including messages from encrypted apps like Signal, photos, audio, and contact info.”

Even though there’s no confirmed iOS version of the tool, Barr warns that doesn’t mean one doesn’t already exist—or won’t be developed soon. The opacity of China’s surveillance technology ecosystem makes predicting its capabilities difficult, but not taking the possibility seriously would be a mistake.

Security by Subtraction

To mitigate risks, Cequence has implemented strict travel security policies for employees entering China.

“Our stance is clear,” says Barr. “Employees traveling to China for business should be issued a clean, temporary device that is fully locked down — no confidential apps or data stored locally. Secure access to cloud resources will be enabled, but only with multi-factor authentication and strict access controls.”

Biometrics are also off the table. “Biometric authentication will be disabled in favor of passcodes to reduce the risk of involuntary device unlocking,” Barr notes—a precaution that acknowledges legal gray areas around fingerprint or face-based access.

And then there’s the network. No free hotel Wi-Fi or local SIM cards here. “We will also train team members to avoid connecting to local networks unless via a company-approved VPN.”

Leave Work at Home

Barr’s warning isn’t just for professionals: “If anyone is traveling to China for personal or vacation purposes, they should not bring any company-issued devices under any circumstance.”

For corporations, the rise of forensic extraction malware like Massistant is not just a cybersecurity issue—it’s an operational one. Travel policies, device configurations, employee training, and data governance must all adapt to a world where border checkpoints may now double as data collection stations.

And for travelers—whether tech-savvy professionals or unsuspecting tourists—the takeaway is stark: when you enter China, so does your data. And you may not be the one holding the keys.