Taspen APK Malware
I’ll be covering my research on one of the banking trojan circulating and causing financial losses in Indonesia. The malware disguise itself as Taspen.apk. Taspen (Tabungan dan Asuransi Pegawai Negeri) is one of state owned company specializing in savings and insurance for workers working in state owned companies.
as other banking trojan in Indonesia, this malwares also circulates in whatsapp with accounts disguising as official from the company
plunge it right into jadx and see what’s inside
looking at the validity of signing certificate, this malware seems to be new upon the writing of this article. The certificate was dated on 6th Sept 2025 so this malware should be created on/later from that date.
Here the AndroidManifest.xml file is empty but we have resources.asrc here.. the real manifest file might be hidden there.
I wasn’t able to extract the manifest during static analysis phase here
inside the main activity, it seems that this malware uses dpt-shell as app protection. dpt-shell is an android dex protector that hardens the apk to be reverse engineered. you can see more here : https://github.com/luoyesiqiu/dpt-shell/
looking at some documentation there (in chinese so i translated it with google chrome), we now know the reason we can’t see the malware’s code.. because the original dex file is separated in a zip file and loaded manually. Using this as a clue, let’s see if we can get more information about that zip.
using jadx text search, we get something.. i11111i111.zip.. seems unusual maybe it contains the so called dex file.. let’s try installing it on test device and see what we can get during runtime
When we see the registration page, seems like the malware already facing connection issue. Maybe the domain has already been blocked. now we know that is uses app.ynsyf.top as communication
looking inside internal storage for the app, we found that zip.. let’s see what’s inside
inside we found 3 dex.. seeing inside jadx, seems like the original apk of this is also obfuscated with proguard…
since we have installed this on a lab device, we can test dynamic test with this.
try attach frida leads to app crashing.. looks like the app has frida detector. Probably one of features from that dpt-shell.. will check more into that later
using dumpsys we managed to see what the app is requesting for permissions
a complete starterpack permission to start a malware attack
READ_SMS → used to steal OTPs from SMS
QUERY_ALL_PACKAGES → see available apps around
BIND_ACCESSIBILITY_SERVICE → you know what it is.. abusing accessibility service to remote control
REQUEST_DELETE_PACKAGES → self destruct the malware to destroy any traces
For now, i haven’t been able to de-compile the whole app and get the whole process of the malware. But for current lesson learned is to have awareness and be careful when installing apps especially those came from not legitimate/official sources. Ensure that only to install apps from google play store or other official app stores based on what platform u’re using
bottom note : i’ll still be exploring this app and will update this blog in the future once i found something more interesting 😉
