News

CTTL-T of CAICT released the mobile agent risk inspection engine "M-ARC"

Author:CTTL-T Published at:2026-03-30

As AI agents accelerate their penetration into mobile terminals, cross-application collaboration and automated execution capabilities are reshaping the user experience while also bringing more hidden security challenges. In order to cope with this problem and fill the gap in mobile agent security inspection, the CTTL Terminal Labs (CTTL-T) of China Academy of Information and Communications Technology (hereinafter referred to as "CAICT")  officially released a self-developed professional testing tool M-ARC (Mobile Agent Risk & Check).

The Chinese word of "M-ARC" is Mai-Ke has its own meaning: "Mai" not only represents the continuous progress of mobile technology towards intelligence, but also reflects the responsibility of CTTL-T to promote industrial upgrading; "Ke" is taken from "abiding by regulations", which accurately corresponds to the core mission of security inspection, emphasizing the necessity of maintaining the bottom line of safety in the AI era. It is based on this positioning that "Mai-ke" is not only an industry-oriented testing tool, but also a bridge connecting academic frontiers and industrial practice.

M-ARC is built based on multi-dimensional semantic analysis technology, and realizes deep penetrating detection of the code layer of mobile applications through multi-level static code analysis and dynamic behavior modeling. While ensuring high detection rates, it has efficient scanning capabilities to quickly complete security checks for large-scale applications. The detection results are presented as visual reports to accurately locate risk codes and provide remediation priority suggestions, facilitating rapid response and rectification by the development team.

[Core positioning: professional audit tool for mobile agents]

M-ARC closely follows the characteristics of the mobile terminal, with built-in 13 types of detection rules and a total of 96 special rules, building a systematic security audit capability

Deep identification of agent behavior: Customize 47 audit rules for mobile scenarios, covering 8 types of agent-specific risks, such as automatic execution without confirmation, illegal takeover of AI calls, and abuse of barrier-free services.

MCP protocol special audit: For the model context protocol (MCP), realize automatic detection of 10 types of high-risk vulnerabilities, such as tool poisoning, dynamic configuration tampering, and context pollution.

End-side privacy full-link protection: Integrates more than 500 mainstream security rules to provide detection support for the security development of mobile AI ecosystem.

At present, CTTL-T has completed the test and evaluation of two mainstream mobile phone agents based on the "Mai-ke" tool (click this link to check test evaluation details). On this basis,  CTTL-T officially launched the formulation of mobile agent evaluation specifications. We sincerely invite mobile phone manufacturers and AI agent developers to jointly connect to M-ARC to carry out normalized security monitoring, deeply participate in the discussion and construction of industry standards, and work together to promote the safe and orderly development of mobile AI applications.