According to G Data, “malicious users” are specially crafting profile images to contain malware. Because of the way it’s created, the malware can’t be detected by antivirus software. These images can’t do much on their own though, G Data says it’s “payload” malware that requires even more malware to activate it. Basically, you’d need to have downloaded some other bit of nasty malware (from rotten websites or spam emails) that would act as a decrypter. Damage can only be caused with both bits of malware. “It should be noted that in order to become a target for this method, no installation of Steam - or any other game platform - is required. The Steam platform merely serves as a vehicle which hosts the malicious file,” G Data say. “The heavy lifting in the shape of downloading, unpacking and executing the malicious payload is handled by an external component which just accesses the profile image on one Steam profile. This payload can be distributed by the usual means, from crafted emails to compromised websites.” G Data emphasises that Steam users aren’t at an increased risk of infecting their devices just by having Steam installed - even opening one of these modified images in a viewing application won’t infect your PC. Hiding malware in pictures in this way isn’t new either, it’s just a method that supposedly hasn’t been seen on gaming platforms before. It’s the kind of thing you can avoid by doing the usual and being sensible about what you click on. Also, I don’t know who would bother downloading other players’ profile pics, but on the off chance that’s you, you should probably stop to be safe. If you’re interested in the technical bits, here’s the link to that G Data article again where they explain in detail how the malware works.
