New Malware Exploits TASPEN Legacy Systems to Target Indonesian Elderly

Threat actors are leveraging the trusted brand of Indonesia’s state pension fund, PT Dana Tabungan dan Asuransi Pegawai Negeri (Persero), or TASPEN, to deploy a malicious Android application disguised as an official portal.

This banking trojan and spyware targets pensioners and civil servants, exploiting legacy systems and digital transformation vulnerabilities to steal sensitive data including banking credentials, SMS-based one-time passwords (OTPs), and biometric information via facial video capture.

The operation, which mimics TASPEN’s branding in Bahasa Indonesia, begins with a phishing website that lures victims into downloading the APK, employing advanced evasion tactics to bypass detection and facilitate real-time data exfiltration to a command-and-control (C2) server.

Technical Dissection

The attack chain exploits TASPEN’s role in managing over $15.9 billion in assets for millions of retirees, capitalizing on the demographic’s increasing reliance on digital services amid Indonesia’s digital transformation push.

Adversaries deploy a phishing domain, taspen[.]ahngo[.]cc, featuring weaponized Google Play buttons that trigger direct APK downloads, while decoy App Store alerts in Indonesian maintain the facade.

According to CloudSek report, the malware, packed with DPT-Shell for DEX encryption, unpacks at runtime, dropping a ZIP payload (i111111.zip) containing malicious .dex files into the device’s code_cache directory. This defeats static analysis, revealing modular spyware components upon execution.

Key services include SmsService for intercepting OTPs to enable fraudulent transactions, ScreenRecordService for real-time activity monitoring, CameraService for biometric theft via video compression and upload, and ContactData classes for harvesting address books to support further phishing.

Communication occurs over encrypted HTTP POST to rpc.syids.top/x/login, disguised as failed logins with HTTP 400 errors, and a WebSocket channel at wss://rpc.syids.top/x/command for instant C2 commands.

Linguistic artifacts, such as Simplified Chinese error messages like “获取数据失败” and “缺少参数关闭,” point to Chinese-speaking actors, potentially linked to APT groups like Earth Kurma or cybercrime syndicates.

Anti-analysis measures detect Frida hooks, triggering segmentation faults, though custom JavaScript intercepts have exposed plaintext JSON payloads confirming credential and device metadata theft.

Broader Impacts

This campaign erodes public trust in Indonesia’s digital ecosystem, targeting vulnerable seniors with lower digital literacy, leading to financial losses, psychological distress, and systemic risks for banks through increased fraud investigations and reimbursements.

Estimated economic damage could reach tens of millions, drawing parallels to regional threats against pension funds in Southeast Asia, including Singapore’s CPF.

The replicable TTPs social engineering, evasion packing, and biometric exfiltration set a precedent for attacks on institutions like BPJS Kesehatan or Bank Rakyat Indonesia.

To counter this, government bodies like KOMINFO and BSSN should establish rapid takedown frameworks and mandate app security audits, while financial entities implement behavior-based fraud detection and device attestation via Google’s Play Integrity API.

Public recommendations emphasize official app stores, permission scrutiny, and reputable mobile security software. A coordinated response is essential to safeguard Indonesia’s digital infrastructure against such full-spectrum threats.

Indicators of Compromise (IoCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!