The popular Steam online gaming platform has pulled a simple, 2D game from its library, after it was found to be consuming an unusual amount of processing power on gamers’ machines.
Steam owner Valve booted the game, “Abstractism,” after players lodged complaints about the game chewing up processor resources and expressed concerns that the game might be engaged in cryptojacking; YouTuber SidAlpha investigated and publicized the claims in this video over the weekend.
In a forum response to the concerns on Steam, Abstractism’s developer, Okalo Union, he said the heavy usage was due to “post-processing effects rendering” required by the graphics; however, researchers noted that the simple black-and-white stick-figure game could not be said to have advanced graphics.
“When you see the very-basic game in action, it’s hard to believe that it could have any legitimate need to stretch the abilities of a typical gaming PC,” said researcher Graham Cluley, writing on the Bitdefender blog, published Tuesday.
Meanwhile, the game was found to be dropping a “SteamService.exe” file into the game’s directory, which, as SidAlpha showed in his video, triggered antivirus software for allowing the “remote execution of commands.” That supports the idea that the game is communicating with a cryptomining platform.
The developer didn’t help his cause in a recent update, which explained a new “Inventory Service” feature of the game that would reward players with “drops” for rare in-game items, for staying on the game longer.
“Drop time is dynamic and increases after each drop (you need 15 minutes to receive the first drop, 30 minutes for the second drop, 60 minutes for the third drop and so on),” the update explained.
The developer also added: “Abstractism Launcher and Abstractism Inventory Service are not Bitcoin miner (and are not Monero miner too, honestly).”
Union also claimed that the potentially malicious executable was necessary in order to control the drop mechanism.
The situation was then made worse when the game was found to be offering falsified items on the Steam Marketplace. A forum member for instance flagged a “Strange Professional Killstreak Australium Rocket Launcher,” which is a tool for the Team Fortress 2 game, for sale by Abstractism at an inflated price.
On Monday, Valve said in a media statement that it had “removed Abstractism and banned its developer from Steam for shipping unauthorized code, trolling and scamming customers with deceptive in-game items” – though it didn’t specifically mention cryptomining. It also banned other Okalo Union games from Steam, as well as the developer’s publisher, Dead.Team, in the process.
Union isn’t gone for good: He also has a very simple game called GeoCube, published for Android devices on Google Play.
“It isn’t just Valve who has let them through. I would be curious to know what is going on with that game too,” said Chris Morales, head of security analytics at Vectra, via email. “High-end computers with GPU power are the ideal candidate for gaming systems. That also happens to be the perfect profile for a cryptocurrency mining system. Making a game that performs cryptomining on gaming systems could easily prove to be highly lucrative if it were to continue unnoticed.”
The quick Valve response is an indicator of things moving in the right direction when it comes to consumer safety, according to Malwarebytes.
“Gaming and app platforms are enforcing stricter rules related to malicious cryptomining,” a spokesperson told Threatpost. “For instance, just recently Google made it clear in its revised policy that it will not allow cryptomining apps in its Play Store. Developers who may be tempted to embed a hidden coinminer in their applications to generate extra revenues should take note that it is at the risk of losing some of their user base, or worse, getting banned from the most popular distribution platforms.”
That’s a good thing, given that cryptomining is on the rise, and unlikely to wane anytime soon.
“We’ve seen a dramatic increase in cryptomining scams coming from all sources over the past few months,” Timur Kovalev, CTO at Untangle, told Threatpost. “Drive-by attacks as well as time-tested malware variants like trojans are now focused on exploiting computing resources of unsuspecting users in an effort to mine cryptocurrency, often Bitcoin or Monero. Exploits can run locally or in a browser and quickly consume compute power leaving hjiacked systems locked up. While a theft of computing processing power may not seem significant at first, if left unnoticed or unchecked, it could potentially overheat or even brick a system. We advise users to be vigilant when installing any app or game, using an unsecured mobile device, or browsing untrusted websites.”