Threat actors are exploiting the immense popularity of the Hamster Kombat game, targeting players with fake Android and Windows software that installs spyware and information-stealing malware.
Game Overview
Hamster Kombat is a clicker mobile game for Android where players earn fictional currency by completing simple tasks, primarily by tapping the screen. Launched in March 2024, the game has attracted significant interest due to its potential to earn a new TON-based crypto token, which is scheduled for introduction later this year.
The game is Telegram-based, requiring players to join its channel on Telegram, scan a QR code provided by a bot, and then launch a web app on their Android devices to play. Since its launch, the game has experienced massive growth, boasting over 250 million players and 53 million users on its Telegram channel.
Despite a clone app appearing on Google Play named 'Hamster Kombat – Earn Crypto' (removed by Google after the publication of this article), the genuine project is not available on any official channels except Telegram, making those interested in joining easy prey for cybercriminals and scammers.
ESET has identified multiple instances where threat actors use the Hamster Kombat game as bait, extending even beyond Android to other platforms like Windows. The first risk lies in Telegram, where various Hamster-branded channels distribute Android malware to users searching for the official channel.
ESET highlights a channel named 'HAMSTER EASY' that distributes the Ratel Android spyware as an APK file ('Hamster.apk') devoid of any legitimate functionality. Ratel can intercept SMS and device notifications but is mainly used to subscribe the victim to premium services, from which the malware operators receive a cut. The malware hides notifications from 200 apps, so the victim remains unaware they have subscribed to various premium services.
Another malicious campaign employs fake websites like 'hamsterkombat-ua.pro' and 'hamsterkombat-win.pro' that claim to offer the game but instead redirect visitors to advertisements to generate money. ESET notes that Hamster Kombat-branded scams also target Windows users, with Lumma Stealer being distributed through malicious GitHub repositories claiming to offer farming bots for the cryptocurrency game.
"The GitHub repositories we found either had the malware available directly in the release files or contained links to download it from external file-sharing services," reads ESET's report. "We identified three different versions of Lumma Stealer cryptors lurking within the repositories: C++ applications, Go applications, and Python applications." Of the three, the Python version was prepared with better care, even featuring a graphical installer to further the deception until the end of the malware installation process.
Note of Caution
If you're interested in the Hamster Kombat project, you should obtain it directly from its official channel on Telegram or visit the project's website. However, it is important to note that even the genuine game itself has not been scrutinized for security, as it is not available on Google Play or the App Store. The project's whitepaper has not been published yet, and the token launch promises remain unfulfilled.
Additionally, the clone app on Google Play has several reports claiming it scams users by asking for withdrawal fees and never processing the withdrawals. People should treat any Hamster Kombat copycat apps distributed via any platform or method with suspicion, as even if they do not contain malware, they are almost certainly scams.
Decrypt.co has compiled a list of cryptocurrency gaming projects that launched tokens in 2024 and have a functional system in place. If you're interested in this concept, you might want to consider investing your time in those instead.