The Telegram clicker game Hamster Kombat has become a sensation among cryptocurrency game enthusiasts in recent months. Despite the simple gameplay of tapping the screen repeatedly, players are excited about the potential to earn big rewards when the creators introduce a new cryptocoin tied to the game.
With its success, Hamster Kombat has attracted numerous imitators who replicate its name, icon, and gameplay. While most of these copycats aim to profit from in-app advertisements, ESET researchers have discovered that cybercriminals are also taking advantage of the game’s popularity to distribute malware.
These threats include Android spyware named Ratel posing as Hamster Kombat in an unofficial Telegram channel, fake app stores delivering unwanted ads to Android users, and GitHub repositories distributing Lumma Stealer to Windows users under the guise of automation tools for the game.
Key points of the blogpost:
- Malicious actors are exploiting Hamster Kombat’s success for financial gain.
- Android spyware named Ratel is being distributed through an unofficial Telegram channel.
- Fake app stores are offering the game but delivering unwanted ads to Android users.
- Windows users may encounter Lumma Stealer cryptors in GitHub repositories claiming to provide game automation tools.
What is Hamster Kombat?
Hamster Kombat is an in-app Telegram clicker game where players earn fictional currency by completing tasks and logging in daily. The gameplay involves tapping the screen repeatedly to earn in-game points. The game, launched in March 2024, has gained popularity rapidly, with claims of reaching 150 million active users by June 2024.
The game’s popularity stems from players’ desire to earn money through a new cryptocoin token tied to the game, distributed based on specific criteria like profit-per-hour. The developers aim to replicate the success of Notcoin, which launched the NOT token on Telegram’s TON platform to great acclaim.
Threat analysis
The success of Hamster Kombat has attracted cybercriminals deploying malware targeting both Android and Windows users. Android users face spyware and fake app stores, while Windows users may encounter Lumma Stealer cryptors in GitHub repositories.
As with any lucrative project, Hamster Kombat has drawn the attention of cybersecurity experts and government officials warning of financial risks. However, no malicious activity has been detected in the original app so far.
Android threats
Two types of threats targeting Android users have been identified: a malicious app containing Ratel spyware and fake websites posing as app stores offering Hamster Kombat for download.
Ratel spyware
A Telegram channel distributing Ratel spyware disguised as Hamster Kombat has been found. This malware can steal notifications and send SMS messages to subscribe to services using the victim’s funds.
While the malicious app uses the Hamster Kombat name to lure victims, it lacks any game functionality and requests permissions to access notifications and SMS messages upon installation.
Afterwards, the malware sends an SMS message with the text “Hello! Call me” in Russian to the phone number that likely belongs to the malware operators. The threat actors can then control the compromised device via SMS, instructing the device to send messages or make calls. The malware can also check the victim’s banking account balance for Sberbank Russia by sending a message with the text “balance” to a specific number. This is done to determine if further attacks should be pursued to access the victim’s funds.
Ratel also uses notification access permissions to hide notifications from over 200 apps based on a predefined list. Notifications from apps on this list, such as Telegram and WhatsApp, are hidden from the victim. If a notification is received from an app not on the list, Ratel allows the user to see it and forwards it to the C&C server, possibly to update the list of apps to hide notifications from.
Additionally, fake websites impersonating app store interfaces have been discovered, claiming to offer the Hamster Kombat game for download but redirecting users to unwanted advertisements instead.
Despite being a mobile game, malware abusing the name “Hamster Kombat” has been found on Windows as well. Cybercriminals offer auxiliary tools claiming to help players maximize in-game profits, but these tools actually conceal cryptors from the Lumma Stealer malware. These cryptors are distributed through GitHub repositories and use different encryption methods in C++, Go, and Python applications.
The Python applications, when run by the victim, connect to an FTP server, download a password-protected ZIP archive containing the cryptor with Lumma Stealer embedded, and send timestamps of user actions to the C&C server. The cryptor then sends this data to the operators’ Telegram account.
