Hamster Kombat has taken tap-to-earn gaming by storm in the last few months. Players hope to make big money once Hamster Kombat’s token is officially launched. In this pursuit, some of them have fallen victim to scams on two popular platforms: Telegram and GitHub.
Risk 1: Trojan Horses on Telegram
According to a team of ESET researchers, the channel “https://t[.]me/hamster_easy” has been distributing Ratel, an Android spyware disguised as Hamster Kombat. The malware can steal notifications and send text messages. The scammers behind the malware use these functions to pay for services and subscriptions with the unwitting victim’s funds.
Ratel has nothing to do with Hamster Kombat at all. After a user launches it, it requests permission to access their notifications and even asks to become the default SMS application. The malware can intercept all text messages and notifications if the user grants these permissions.
The malware then becomes able to control the user’s device via SMS. It can send messages to specified numbers and instruct the phone to call them. If the victim has an account with Sberbank Russia, the malware can check their balance by sending an SMS with the text баланс (balance) to 900. The malware could drain the account.
Risk 2: Lumma Stealer malware on GitHub
GitHub repositories offer auto clickers and farm bots for the popular play-to-earn game. These tools help players by automating clicks. However, some of these repositories actually contain cryptors from Lumma Stealer, a malware-as-a-service sold on Telegram and the dark web.
Lumma is mainly distributed via spam and pirated software. It targets user credentials, cryptocurrency wallets, 2FA browser extensions, and other sensitive data. There are three different versions of the cryptors on GitHub: C++, Python, and Go applications.
How to stay safe
Do not open messages or click on links sent by unknown sources, even if they seem connected to Hamster Kombat. Do not give any apps default setting permissions.
Enable two-step verification in Telegram to add an extra layer of security. This will require a password and the code sent to your phone.
Examples of reliable antivirus software against Trojans include Bitdefender Antivirus Plus, Norton 360, and McAfee Total Protection.
While most GitHub repositories are safe, malicious actors can upload harmful software. Ensure the repository is from a trusted and reputable source. Official projects may have a “Verified” badge, which can provide some assurance of the repository’s legitimacy.
If you have the technical expertise, review any code before executing it. Use tools like npm audit or pip audit to check for known vulnerabilities.
