Hamster Kombat’s Viral Success Spawns Malicious Copycat
The development comes as cyber criminals are capitalizing on the Telegram-based cryptocurrency game Hamster Kombat for monetary gain, with ESET discovering fake app stores promoting the app, GitHub repositories hosting Lumma Stealer for Windows under the guise of automation tools for the game, and an unofficial Telegram channel that’s used to distribute an Android trojan called Ratel.
The popular game, which launched in March 2024, is estimated to have more than 250 million players, according to the game developer. Telegram CEO Pavel Durov has called Hamster Kombat the “fastest-growing digital service in the world” and that “Hamster’s team will mint its token on TON, introducing the benefits of blockchain to hundreds of millions of people.”
Ratel, offered via a Telegram channel named “hamster_easy,” is designed to impersonate the game (“Hamster.apk”) and prompts users to grant it notification access and set itself as the default SMS application. It subsequently initiates contact with a remote server to get a phone number as response.
In the next step, the malware sends a Russian language SMS message to that phone number, likely belonging to the malware operators, to receive additional instructions over SMS.
“The threat actors then become capable of controlling the compromised device via SMS: The operator message can contain a text to be sent to a specified number, or even instruct the device to call the number,” ESET said. “The malware is also able to check the victim’s current banking account balance for Sberbank Russia by sending a message with the text баланс (translation: balance) to the number 900.”
Ratel abuses its notification access permissions to hide notifications from no less than 200 apps based on a hard-coded list embedded within it. It’s suspected that this is being done in an attempt to subscribe the victims to various premium services and prevent them from being alerted.
The Slovakian cybersecurity firm said it also spotted fake application storefronts claiming to offer Hamster Kombat for download, but actually directs users to unwanted ads, and GitHub repositories offering Hamster Kombat automation tools that deploy Lumma Stealer instead.
“The success of Hamster Kombat has also brought out cybercriminals, who have already started to deploy malware targeting the players of the game,” Štefanko and Peter Strýček said. “Hamster Kombat’s popularity makes it ripe for abuse, which means that it is highly likely that the game will attract more malicious actors in the future.”
BadPack Android Malware Slips Through the Cracks
Beyond Telegram, malicious APK files targeting Android devices have also taken the form of BadPack, which refer to specially crafted package files in which the header information used in the ZIP archive format has been altered in an attempt to obstruct static analysis.
In doing so, the idea is to prevent the AndroidManifest.xml file – a crucial file that provides essential information about the mobile application – from being extracted and properly parsed, thereby allowing malicious artifacts to be installed without raising any red flags.
This technique was extensively documented by Kaspersky earlier this April in connection with an Android trojan referred to as SoumniBot that has targeted users in South Korea. Telemetry data gathered by Palo Alto Networks Unit 42 from June 2023 through June 2024 has detected nearly 9,200 BadPack samples in the wild, although none of them have been found on Google Play Store.
“These tampered headers are a key feature of BadPack, and such samples typically pose a challenge for Android reverse engineering tools,” Unit 42 researcher Lee Wei Yeong said in a report published last week. “Many Android-based banking Trojans like BianLian, Cerberus and TeaBot use BadPack.”
