MEFF M3 Pro: professional mobile malware & spyware detection — how it works

Your smartphone contains your entire life: banking details, confidential emails, location history, conversations, and photographs. This is precisely why your phone is a target for advanced spyware. Pegasus, Predator, stalkerware — the threats are real and growing. But how do you detect malware that is designed to remain invisible?

SAJ Recherche deploys the MEFF M3 Pro: a professional platform for mobile malware and spyware detection. In this article, we explain how this technology works, which scan modules are used, and why remote scanning represents a breakthrough in digital security.

What is the MEFF M3 Pro?

The MEFF M3 Pro is a professional security platform specifically designed for detecting advanced threats on Android and iOS devices. The system combines multiple analysis methods — from forensic inspection to AI-powered threat analysis — in a single integrated platform.

Unlike consumer solutions that only recognise known viruses, the MEFF M3 Pro is designed to detect so-called “government-grade” trojans: spyware developed by specialised companies and deployed by governments, intelligence agencies, and cybercriminals. Think of Pegasus by the NSO Group, but also of commercial stalkerware that is becoming increasingly sophisticated.

The platform generates a detailed forensic report after each scan, suitable for use as evidence in legal proceedings.

The four scan modules

The MEFF M3 Pro operates with four specialised scan modules, each covering a different aspect of mobile security. Together, they provide a complete threat picture.

1. Android Malware Scanner

The Android module connects to the device via USB using WebADB technology. Once the connection is established, all installed applications are analysed in real-time. The system checks:

• Critical permissions — apps that have access to the microphone, camera, location, contacts, SMS messages, or call history are flagged for further analysis.
• Known malware signatures — comparison against a continuously updated database of known trojans, including Pegasus, Predator, and commercial stalkerware.
• Suspicious app behaviour — detection of apps that send data in the background, establish encrypted connections to unknown servers, or hide behind legitimate app names.
• System integrity — checks for rootkits, modified system files, and unauthorised configuration changes.

2. iOS Forensic Analysis

Apple’s iOS ecosystem is closed, which makes direct scanning difficult. The MEFF M3 Pro solves this through analysis of the so-called sysdiagnose file: a comprehensive diagnostic report that iOS automatically generates, containing thousands of log files.

The system supports multi-upload: multiple sysdiagnose files can be analysed simultaneously, enabling efficient processing of large numbers of devices.

The core of the iOS analysis is MVT certification. MVT stands for Mobile Verification Toolkit, an open-source forensic framework originally developed by Amnesty International Security Lab. MVT is the industry standard for detecting Pegasus infections and other advanced iOS spyware. The MEFF M3 Pro integrates MVT-certified analyses, ensuring that results meet forensic standards.

3. Network Traffic Analyzer

Even the most advanced spyware must communicate with an external server at some point — to transmit stolen data or receive new instructions. The Network Traffic Analyzer addresses this by intercepting and analysing live network traffic.

The system operates via a controlled hotspot connection. The device under investigation is connected to a secure hotspot that routes all traffic through the analysis module. The system then analyses:

• DNS requests — which domain names are being queried by the device, including comparison against databases of known command-and-control servers.
• Suspicious IP addresses — connections to servers in regions associated with cyberattacks or that have no logical relationship to the installed apps.
• Encrypted data streams — detection of unusual encrypted connections that may indicate data exfiltration.
• Background traffic — analysis of which apps transmit data when not actively being used.

The technical foundation is Tshark, the command-line version of Wireshark — the industry standard for network analysis.

4. AI-powered Threat Analysis

All data collected from the three preceding modules is aggregated and analysed by an AI model based on GPT-4o. This module functions as a digital threat analyst that recognises patterns that human analysts might miss.

The AI module categorises each detected threat by severity, provides context for the findings, and generates recommendations. The result is not merely a list of suspicious items, but a structured threat assessment that is comprehensible to both technical specialists and non-technical clients.

Remote scanning: the breakthrough

Traditionally, mobile malware detection requires you to physically hand over your device to a specialist. This is not always practical or desirable — particularly if you are abroad, if the device is part of an ongoing investigation, or if you simply do not want your phone out of your sight.

The MEFF M3 Pro offers the capability for remote scanning via a secure connection. This means a SAJ Recherche specialist can analyse your device remotely without requiring your physical presence. You connect via an encrypted channel, after which the scanner reads and analyses the necessary diagnostic data remotely.

This makes professional malware detection accessible for:

• Executives on business travel who cannot leave their device behind
• International clients who do not need to travel to the Netherlands
• Companies with multiple locations that want all devices checked centrally
• Urgent situations where speed is critical and waiting for a physical appointment is not acceptable

System architecture

The technical backbone of the MEFF M3 Pro combines proven technologies:

• Backend: Python FastAPI for rapid API processing, MongoDB Atlas for secure cloud storage of scan results, Tshark for network analysis, and ReportLab for generating forensic PDF reports.
• Frontend: React.js with an optimised interface, Tailwind CSS for styling, and i18next for multilingual support.
• Connections: WebADB for direct USB communication with Android devices, an integrated hotspot for network analysis, and a secure remote connection for remote scanning.

The continuously updated threat database contains signatures of known government-grade trojans and commercial spyware. Updates are automatically applied via a secure update channel.

The forensic report

After each scan, the MEFF M3 Pro automatically generates a multilingual PDF report. This report contains:

• Device details — make, model, operating system, serial number, and scan parameters
• Detected threats — for each threat, a detailed description, severity classification, and technical indicators
• AI analysis — the complete threat assessment by the AI model, including contextual analysis and risk assessment
• MVT verification results — the outcomes of the MVT-certified analysis (for iOS devices)
• Network analysis — overview of suspicious connections, DNS requests, and IP addresses
• Recommendations — concrete follow-up steps based on the findings

The report meets forensic documentation standards and is suitable for use as evidence in legal proceedings, criminal cases, and integrity investigations.

Who is this technology for?

The MEFF M3 Pro is deployed worldwide by cybersecurity professionals, law enforcement agencies, and security firms. SAJ Recherche offers this technology for:

• Individuals — when suspecting stalkerware, spyware installed by an (ex-)partner, or after theft or loss of a device
• Businesses — for compliance checks, pre-employment device screening, or after a security incident
• Law firms — to protect legal professional privilege and confidential client communications
• Law enforcement — as part of digital forensic investigations

SAJ Recherche holds POB licence 8779 from the Dutch Ministry of Justice and Security. All scans are performed by qualified Private Investigators.

Packages and pricing

SAJ Recherche offers three packages:

• Individual (1 device) — from EUR 295
• Business (up to 10 devices) — from EUR 995
• Enterprise (unlimited devices) — pricing on request

All packages include the full forensic report and the option for remote scanning.

Want to have your phone scanned? View our packages or contact us directly.

Call or WhatsApp: +31 20 782 3222 for a confidential conversation with a specialist.