Really sad story

Think of it from the adversarial perspective. We gonna compromise your steam account creds and your mobile device to siphon $.45c worth of rust skins? No, doesn't make sense. What's the easier attack vector? The mobile device? Could harvest creds from that, sure. Auth a session by capturing a push notification (push notifications are badsec and need to be depreciated btw Valve) that allows for API access, attach malicious API to the steam account and the rest runs on autopilot. Every push notif is autoapproved as the script harvests the account. Plebs install a lot of stupid ♥♥♥♥ on their phones, the Gplay store is made of Swiss Cheese as far as security, easy attack vector. Authorized device is removed as soon as the harvest completes. Same concept for if they harvest the session token right?
You probably shouldn't have been gambling on that CSGO betting site. You shouldn't have installed that stupid ♥♥♥♥ with 4000 downloads on your phone. You shoulda blocked arbitrary javascript from running from your browser. You probably shouldn't leave an Electron app like discord running 24/7 that is capable of ACE. Coulda woulda shoulda and ♥♥♥♥.
Speaking of ACE, you have to be vigilant about programs. There's this sketchy company called Riot Games, that released this sketchy product called Valorant. Valorant allowed for ACE against anyone connected to mplayer lobby for a period and their so called "pro" circuit was targeted. They patched the vuln, but their "anticheat" still runs as a kernel mode driver capable of ACE.