It’s the weekend, and nothing beats a bottle of wine and a new story-driven game to play! Maybe a cute indie game to relax and chat with friends on Discord. šš®
If this sounds like you or something you’d like to do,Iām pretty sure you’ve had this dilemma before:
Should I turn off my brain for a few seconds, embrace the risk, and visit FitGirlās website for a cracked game? Or should I be wiser, spend some money on Steam, and play safely?
Well, after reading this article, you might start thinking more than twice I promise!
I was in that exact situation today. I was hanging out on Discord with my people, telling them how tired I was and how I just wanted to buy a new game to chill. Lol! And guess what? My homie said, “Keep downloading Steam games, and youāll get pwned soon!“ HAHA!
Weāre a branch of hackers. We know how a lot of things work, but we also believe thereās a lot we donāt know. So, I asked my friend what he was talking aboutāand he showed me this article :
Dude, what?! Are you telling me that games hosted on Steam contain malware?
Isnāt Steam supposed to be the safe place to download games?
Unfortunately, itās true, Steam isnāt as safe as you might think. Just like the Play Store or any other game marketplace, hackers always find ways to spread malware. But the real question is : how?
I mean, isnāt Steam a huge company? Donāt they have a security team doing thorough checks and reviews?
I donāt know, manā¦ But with the crazy prices we pay for games, Iām not buying the idea that they donāt have security checks or that they have weak ones!
To make myself believe, I need to see the truth, smell it, and taste it.
So letās do our research!
First thing to do is understandhow things work.
So, how are games pushed onto Steam, and who can upload them ? š¤
This a general little map I mad to make you understand how it wors :
You should know that anyone can create and publish a game on Steam including you.
The process is surprisingly simple. Hereās how it works:
1ļøā£ Develop the game ā Whether itās a small indie project or a full-fledged title, you just need a playable build.
2ļøā£ Create a developer account on Steamworks ā This is Steamās platform for game creators.
3ļøā£ Pay a $100 fee ā This one-time fee per game grants you publishing rights.
4ļøā£ Submit your game for review ā Steam runs a basic verification process before approving it for release.
Sounds safe, right? Not really. The review process isn’t as strict as you might think, which opens the door for shady developers to sneak in malicious code.
But letās dig deeperā¦ How does Steam actually review these games, and can malware slip through?
Steam does have a review process, but itās not as strict as you might expect. Unlike mobile app stores that use automated malware scans and security policies, Steamās approach is more focused on content moderation rather than deep security analysis. Hereās how it works:
1ļøā£ Basic Verification ā Steam ensures that the developer has paid the $100 fee and that the game has actual content (not just a blank launcher).
2ļøā£ Automated Scans ā Some basic checks are performed, but they mainly focus on preventing obvious scams, not deep malware detection.
3ļøā£ Community Review & Reports ā Once a game is published, it relies heavily on user reports and reviews. If a game is flagged as suspicious, Steam might investigate.
The Problem?
š No Deep Security Audits ā Thereās no in-depth malware scanning or strict sandbox testing like youād find on Appleās App Store.
š Social Engineering Works ā Hackers can disguise malicious software as game launchers, mods, or even āupdates.ā
š Once Itās Live, Itās Too Late ā By the time Steam removes a bad game, many users might have already downloaded it.
So, can malware slip through? Absolutely. Hackers just need to disguise it well enough to pass Steamās surface-level checks. But what kind of malware are we actually talking about? Letās break it downā¦ š„š
Looking arround on the internet ive found people talking about this :
Firsy Who is Valve, and Whatās Their Role in This?
Before we go deeper, letās talk about Valvethe company behind Steam.
Valve Corporation is a gaming giant that started in 1996, best known for legendary titles like Half-Life, Counter-Strike, and Portal. But what really put them on another level was the launch of Steam in 2003āwhich began as a simple game launcher and evolved into the worldās biggest PC gaming marketplace.
Whatās Valveās Role in Steam?
Valve owns and operates Steam, meaning they control everything from game publishing rules to security policies. But hereās the catch:
š¹ They prioritize profits over policing ā Steam takes a 30% cut from every game sale, meaning their goal is to have more games, more sales, more revenueānot necessarily more security.
š¹ They rely on automation ā Instead of having a strict security team manually reviewing each game, Valve automates most of the process. This makes it easier for sketchy developers to slip through.
š¹ They have a history of ignoring issues ā Valve has been called out multiple times for allowing scam games, fake developers, and even malware-ridden software to be sold on Steam. Their slow response to security risks has raised serious concerns in the gaming community.
So, Can We Really Trust Steam?
Steam is massive, but itās also flawed. Valveās hands-off approach makes it easy for malicious actors to take advantage of the system. And if you think theyāre actively hunting down malware before it reaches youā¦ think again.
The real question is: What kind of threats are we dealing with, and how are hackers exploiting Steam? š„š
Before we dive into that, letās zoom in and take another look at that last Reddit screenshot. It mentions something interesting back in 2016, Street Fighter V rolled out an update meant to stop cheating, but instead, it introduced a serious vulnerability. This flaw could be exploited by other malicious software, making the system even more vulnerable.
So, this isnāt a new issue. In fact, I found multiple articles discussing similar incidents. Steamās security flaws have been exposed before, and the risks are still very real today. Letās break it downā¦ šØš
This is a lotāand with so many other articles out there, it only proves that this is real.
Now, letās get back to the most important question:
What kind of threats are we dealing with, and how are hackers exploiting Steam? š„š
Due to my daily job as a redteamer the answer for this question was obvios and here is some scenarios that may happen!
First take a look and how the steam dev dashboars looks like from inside when you create an account for the first time
Theyāll ask for some information, but you can just throw in random bla bla data and pay the fee no problem.
Thereās no verification to check if your company actually exists or if your dev team is even real. As long as you pay, you can publish. š°š
So, it’s easy, right? You develop a sweet, undetectable piece of malware, mix it into a game, and publish it on Steam.
Wellā¦ it’s possible, but is it the best way?
Do you have the skills to create a game that actually attracts players? Doubt it. š
Do you have a big company name with an existing fanbase waiting for your releases and updates? Absolutely not.
Soā¦ what now?
Well, why not target gaming companies instead?
Pwn their engineers and employees, steal their accounts, and use them to push your malware the easy way.
Sounds a bit too advanced for your skiddie skills, huh? š
Or maybeā¦ you donāt even need to hack them. Because guess what?
Theyāre already hacked.
Just check these stealer logs theyāre full of compromised accounts from game developers. Access already granted. Just push malicious Updates š„
Up to this point, we’ve already pushed the limits, thereās no need to go further with PoCs or anything that could land us in jail. šØ
The goal was never to show how to do it, but to make you think twiceā¦ or even more before trusting everything you download.
And I think you will. š
