Here’s the short version: it was discovered over the weekend that an indie game available on Steam, Abstractism, was not merely a quick-and-dirty cash grab, or a front for a scam involving fraudulently trades in Steam’s in-app marketplace, but was almost certainly deliberate malware. Specifically, when installed and run, it took up an amount of system resources that are much more consistent with running a cryptocurrency mining node.
That, in turn, raises yet more questions about Steam’s curation process, or rather the lack thereof, in a year where the service’s notorious inconsistency on the subject has already gotten it a lot of negative attention.
The long version of the story begins with the in-game economy of Valve’s popular multiplayer shooter Team Fortress 2. In TF2, you can trade items back and forth with other players in order to get certain unlockable items for your character, such as silly hats and new weapons, at a faster rate than you’d be able to get them if you were simply grinding for the required materials on your own; you can even make new items yourself and sell them to other players via the Team Fortress 2 Workshop.
These exchanges are paid for with real money or equivalent sums thereof, stored and kept in users’ Steam Wallets. Naturally, this means that the rarest items have risen in actual monetary value over time, so a dedicated or insane TF2 player could sit down and pay around $3,200 for, say, a particularly unusual pair of boots. The same economy has expanded into other games on the Steam service, allowing players to buy, sell, and trade various in-game goods for Steam Wallet funds, which means less actual money changes hands here than you might think.
On the afternoon of July 28, a user with the handle PoorAsianBoy posted on Backpack.tf, a message board for TF2 fans, to report to the community that he’d been scammed. He’d accepted a trade for a rare item, a Strange Australium Rocket Launcher, only to discover that the item he’d actually been given wasn’t linked to TF2 at all. Instead, PoorAsianBoy received a nearly-worthless in-game item that was instead attached to Abstractism. They’d simply taken the same icon as the TF2 item, changed the item’s name, and attached it to their own game, in an attempt to defraud an inattentive purchaser for around $80.
Abstractism is a platform game by a company called Okalo Union that sold for around $0.49. It’s since been withdrawn from the Steam store, but according to the cached search results on Google, Abstractism was “an absolutely trivial platformer, but with the one really special feature – there is no the ‘Game Over’ [also sic]! But instead, there is an ASMR soundtrack…” In other words, it was ostensibly a cheap, inoffensive chill-out game. According to the developer’s SteamSpy profile, Abstractism was released on March 15th, 2018, and had been purchased by around 6,000 people. On July 23, Abstractism updated its community website on Steam with the announcement that it had added item drops to the game. Before that point, it had already picked up a couple of user reviews that reported it was behaving in ways consistent with a cryptocurrency mining program (for example, it was somehow using up a lot of processing power and disk space, despite looking like a cell phone game from 2001), but with the update, Okalo Union specifically encouraged players to keep the game running constantly and at specific times in order to maximize item drop rates.
The furor over PoorAsianBoy’s post on Backpack.tf eventually spread to Twitter, where a gaming-focused YouTuber named SidAlpha took an interest. He bought the game, and as he goes over in his video, notes that many of the nearly 200 items available for Abstractism were based off of stolen assets (one of which, in fact, was simply a photo of the famous Japanese game developer Hideo Kojima), and that the behavior suggested to maximize their drop rate only makes sense if you assume the program’s a cryptocurrency miner. One of the comments on the video, from “Matheus Muller,” further goes into the program’s behavior, which is doubly disturbing, as YouTube comments aren’t supposed to be useful or well-written.
Obviously, none of this is hard proof, but it’s not a deductive masterstroke. The July 23rd patch for Abstractism seems to have introduced a new .exe for the game which shows up immediately on malware scans; the game is a very simple platformer involving a single moving featureless block, but uses up memory and disk space like you’re dual-boxing Crysis; and the way the developers suggested that you should play Abstractism is consistent with someone who’s trying to maximize yield from a mining node. If it walks, looks, and quacks like a duck, then the duck is probably trying to cryptojack your computer.
I may have gotten that proverb wrong.
As of the morning of the 30th, Abstractism has been removed from Steam by Valve, according to PCGamesN, after the story hit several major news sites. That leads to the next obvious question: how is it that one of the biggest companies in the video game industry, running the single biggest digital storefront in the hobby, managed to let something this obvious get onto the system?
Basically, it’s because Valve’s given up on trying to curate Steam at all. In 2012, getting your game on the platform involved getting through the voting process of Steam Greenlight. That was shut down in 2017 in favor of the new Steam Direct program. These days, any developer who can pay a deposit, build a store, wait 30 days, and get through a brief verification period with Valve can put their game on Steam. Thus, something like Abstractism just had to not obviously be a scam for long enough to get through Valve’s bare-bones application process, and after that, it was ready to sell a few copies.
Valve made some token moves in favor of moderating its system, but has deliberately been trying to stay as hands-off as possible. It created a brief stir in May by moving to censor several games for sexual content (such as the independently-produced visual novel Mutiny!!), but quickly backed down. A few days after that, the “school shooting simulation” Active Shooter got unceremoniously yanked from Steam following an outcry from parents and survivors of real-world shooting incidents.
The official position, as stated by Valve in an official blog post at the start of June, is that “…our role should be to provide systems and tools to support your efforts to make these choices for yourself, and to help you do it in a way that makes you feel comfortable. With that principle in mind, we’ve decided that the right approach is to allow everything onto the Steam Store, except for things that we decide are illegal, or straight up trolling.” The company claims to be working on new tools to help it more effectively curate the Steam library, but in the meantime, it’s depending entirely on user feedback to determine what does and doesn’t belong on the storefront.
In the meantime, then, thanks to the hands-off nature of Steam’s current business model, the storefront is the Wild West. As you can see in similarly unpoliced marketplaces like the typical mobile app store, any game with a bit of originality is likely to have a dozen increasingly flagrant clones up on the same storefront within a couple of weeks. Now, on top of the previous problems with lazy asset flips, there’s a non-zero chance that games you’ve never heard of on Steam could be fronts for cryptojacking, or simply something to hang a scam off of. Valve did pull Abstractism down very quickly once the word was out, but the fact that it happened at all was one more curation-related controversy in a summer that’s already been full of them.