BigStock Photo.

Here’s the short version: it was discovered over the weekend that an indie game available on Steam, Abstractism, was not merely a quick-and-dirty cash grab, or a front for a scam involving fraudulent trades in Steam’s in-app marketplace, but was almost certainly deliberate malware. Specifically, when installed and run, it took up an amount of system resources that are much more consistent with running a cryptocurrency mining node.

That, in turn, raises yet more questions about Steam’s curation process, or rather the lack thereof, in a year where the service’s notorious inconsistency on the subject has already gotten it a lot of negative attention.

The long version of the story begins with the in-game economy of Valve’s popular multiplayer shooter Team Fortress 2. In TF2, you can trade in-game raw materials back and forth with other players in order to speed up the process of unlocking various cosmetic items for your characters, such as silly hats and new weapons. You can even make new items yourself and sell them to other players via the Team Fortress 2 Workshop.

These exchanges are paid for with real money or equivalent sums thereof, which is stored and kept in users’ Steam Wallets. Naturally, this means that the rarest items have risen in actual monetary value over time, so a dedicated or insane TF2 player could sit down and pay around $3,200 for, say, a particularly unusual pair of boots. The same economy has expanded into other games on the Steam service, which allows players to buy, sell, and trade various in-game goods and Steam Trading Cards. This is mostly done via Steam Wallet funds, so less actual money changes hands here than you might think.

PoorAsianBoy’s post on Backpack.tf. Shown: Abstractism‘s knockoff rocket launcher.

On the afternoon of July 28, a user with the handle PoorAsianBoy posted on Backpack.tf, a message board for TF2 fans, to report to the community that he’d been scammed. He’d accepted a trade for a rare item, a Strange Australium Rocket Launcher, but instead received a nearly-worthless in-game item that was attached to Abstractism. They’d simply taken the same icon as the TF2 item, changed its name, and attached it to their own game, in an attempt to defraud an inattentive purchaser for around $80.

Abstractism is a platform game by a company called Okalo Union that sold for around $0.49. It’s since been withdrawn from the Steam store, but according to the cached search results on Google, Abstractism was “an absolutely trivial platformer, but with the one really special feature – there is no the ‘Game Over’ [also sic]! But instead, there is an ASMR soundtrack…” In other words, it was ostensibly a cheap, inoffensive chill-out game.

According to the developer’s SteamSpy profile, Abstractism was released on March 15th, 2018, and had been purchased by around 6,000 people. On July 23, Abstractism updated its community website on Steam with the announcement that it had added item drops to the game. Before that point, it had already picked up a couple of user reviews that reported it was behaving in ways consistent with a cryptocurrency mining program; for example, it was somehow using up a lot of processing power and disk space, despite looking like a cell phone game from 2001. With the update, Okalo Union specifically encouraged players to keep the game running constantly and at specific times in order to maximize item drop rates.

The furor over PoorAsianBoy’s post on Backpack.tf eventually spread to Twitter, where a gaming-focused YouTuber named SidAlpha took an interest. As he goes over in his video, he found that many of the nearly 200 items available for Abstractism were based off of stolen assets (one of which, in fact, was simply a photo of the famous Japanese game developer Hideo Kojima), and that the behavior suggested to maximize their drop rate only makes sense if you assume the program’s a cryptocurrency miner. One of the comments on the video, from “Matheus Muller,” further goes into the program’s behavior, which is doubly disturbing, as YouTube comments aren’t supposed to be useful or well-written.

Obviously, none of this is hard proof, but it’s not a deductive masterstroke. The July 23rd patch for Abstractism seems to have introduced a new .exe for the game which shows up immediately on malware scans; the game is a very simple platformer which involves a single moving featureless block, but uses up memory and disk space like you’re dual-boxing Crysis; and the way that the developers suggested that you should play Abstractism is consistent with someone who’s trying to maximize their mining yield. If it walks, looks, and quacks like a duck, then the duck is probably trying to cryptojack your computer.

I may have gotten that proverb wrong.

As of the morning of the 30th, Abstractism has been removed from Steam by Valve, according to PCGamesN, after the story hit several major news sites. That leads to the next obvious question: how is it that one of the biggest companies in the video game industry, running the single biggest digital storefront in the hobby, managed to let something this obvious get onto its platform?

Basically, it’s because Valve’s given up on trying to curate Steam at all. In 2012, getting your game on the platform involved getting through the voting process of Steam Greenlight. That was shut down in 2017 in favor of the new Steam Direct program. These days, any developer who can pay a deposit, build a store, wait 30 days, and get through a brief verification period with Valve can put their game on Steam. Thus, something like Abstractism just had to not obviously be a scam for long enough to get through Valve’s bare-bones application process, and after that, it was ready to sell a few copies.

Valve made some token moves in favor of moderating its system, but has deliberately been trying to stay as hands-off as possible. It created a brief stir in May by moving to censor several games for sexual content (such as the independently-produced visual novel Mutiny!!), but quickly backed down. A few days after that, the “school shooting simulation” Active Shooter got unceremoniously yanked from Steam following an outcry from parents and survivors of real-world shooting incidents.

The official position, as stated by Valve in an official blog post at the start of June, is that “…our role should be to provide systems and tools to support your efforts to make these choices for yourself, and to help you do it in a way that makes you feel comfortable. With that principle in mind, we’ve decided that the right approach is to allow everything onto the Steam Store, except for things that we decide are illegal, or straight up trolling.” The company claims to be working on new tools to help it more effectively curate the Steam library, but in the meantime, it’s depending entirely on user feedback to determine what does and doesn’t belong on the storefront.

In the meantime, then, thanks to the hands-off nature of Steam’s current business model, the storefront is the Wild West. As you can see in similarly unpoliced marketplaces like the typical mobile app store, any game with a bit of originality is likely to have a dozen increasingly flagrant clones up on the same storefront within a couple of weeks. Now, on top of the previous problems with lazy asset flips, there’s a non-zero chance that games you’ve never heard of on Steam could be fronts for cryptojacking, or simply something to hang a scam off of. Valve did pull Abstractism down very quickly once the word was out, but the fact that it happened at all was one more curation-related controversy in a summer that’s already been full of them.

Like what you're reading? Subscribe to GeekWire's free newsletters to catch every headline

Job Listings on GeekWork

Find more jobs on GeekWork. Employers, post a job here.