- The Hamster Kombat game’s success has attracted malicious actors trying to abuse public interest in the game for monetary gain.
- ESET researchers discovered Android spyware named Ratel pretending to be Hamster Kombat, distributed via an unofficial Telegram channel.
- Android users are also targeted by fake app stores claiming to offer the game but delivering unwanted advertisements instead.
- Windows users can encounter GitHub repositories offering farm bots and auto-clickers that actually contain the infostealer Lumma Stealer cryptors.
BRATISLAVA, KOŠICE — July 23, 2024 —In the past few months, the Telegram clicker game Hamster Kombat has taken the world of cryptocurrency game enthusiasts by storm. As was to be expected, the success of Hamster Kombat has also brought out cybercriminals, who have already started to deploy malware targeting the players of the game. ESET Research has uncovered threats going after both Android and Windows users. Exposing the risks of trying to obtain games and related software from unofficial sources, ESET found several threats in the form of remotely controlled Android malware distributed through an unofficial Hamster Kombat Telegram channel, fake app stores that deliver unwanted advertisements, and GitHub repositories distributing the Lumma Stealer infostealer cryptors for Windows devices while claiming to offer automation tools for the game.
“Even though gameplay, which mostly entails repeatedly tapping the screen of one’s mobile device, might be rather simple, players are after something more: the possibility of earning big once Hamster Kombat’s creators unveil the promised new cryptocoin tied to the game. Unfortunately, we discovered that cybercriminals have also started to capitalise on Hamster Kombat’s popularity,” explains ESET researcher Lukáš Štefanko, who discovered and analysed the Hamster Kombat threats.
Due to its success, the game has already attracted countless copycats that replicate its name and icon and have similar gameplay. Luckily, all the early examples we found were not malicious but nevertheless aim to make money from in-app advertisements.
ESET has identified and analysed two types of threats targeting Android users: a malicious app that contains the Android spyware Ratel and fake websites that impersonate app store interfaces claiming to have Hamster Kombat available for download. ESET researchers found a Telegram channel distributing Android spyware, named Ratel, disguised as Hamster Kombat. This malware is capable of stealing notifications and sending SMS messages. The malware operators use this functionality to pay for subscriptions and services with the victim’s funds, without the victim noticing. Upon startup, the app requests notification access permission and asks to be set as the default SMS application. Once these permissions are granted, the malware gets access to all SMS messages and is able to intercept all displayed notifications.
Even though Hamster Kombat is a mobile game, ESET also found malware abusing the game’s name to spread on Windows. Cybercriminals try to entice Windows users with auxiliary tools that claim to make maximising in-game profits easier for players. ESET research revealed GitHub repositories offering Hamster Kombat farm bots and auto-clickers, which are tools that automate clicks in a game. These repositories actually turned out to be concealing the infamous Lumma Stealer. The GitHub repositories we found either had the malware available directly in the release files or contained links to download it from external file-sharing services. ESET identified three different versions of Lumma Stealers lurking within the repositories.
Lumma Stealer is an infostealer offered as malware-as-a-service, available for purchase on the dark web and on Telegram. First observed in 2022, this malware is commonly distributed via pirated software and spam and targets cryptocurrency wallets, user credentials, two-factor authentication browser extensions, and other sensitive information. Note that Lumma Stealer’s capabilities are not covered in this research since the focus is on the cryptors that deliver this infostealer, not on the infostealer itself.
“Hamster Kombat’s popularity makes it ripe for abuse, which means that it is highly likely that the game will attract more malicious actors in the future,” concludes Štefanko.
For more technical information about Hamster Kombat-related threats, read the blog post “The tapestry of threats targeting Hamster Kombat players” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.
Example GitHub repository spreading Lumma Stealer via an “offer” for a farm bot