The Unity gaming platform is discreetly implementing a solution for a vulnerability that permits third-party code to execute in Android mobile games, potentially endangering mobile crypto wallets, according to two anonymous sources.
This vulnerability impacts projects dating back to 2017, with the sources indicating that it mainly affects Android, though Windows, macOS, and Linux systems are also impacted to varying extents.
Unity has started distributing fixes and a standalone patching tool privately to selected partners, as per the sources, but public guidance isn’t anticipated until Monday or Tuesday next week.
Cointelegraph reached out to Unity for additional information but did not receive an immediate reply.
A Google spokesperson informed Cointelegraph that they are aware of the vulnerability.
“Unity is providing a patch to app developers to address this issue, and developers should update their apps without delay,” the spokesperson noted.
“Google Play will assist developers in releasing patched versions of their apps as swiftly as possible. Based on our current detections, we have not identified any malicious apps exploiting this vulnerability on Play,” they added.
Unity is one of the world’s premier game engines
San Francisco-based Unity Technologies powers Unity, a leading platform of tools allowing creators to build and expand real-time games, apps, and experiences across various platforms. Unity is behind over 70% of the top thousand mobile games, and over 50% of new mobile games are developed using Unity, as stated by the company.
The potential risk to crypto wallets
The sources characterized the threat as an “in-process code injection,” though they did not confirm whether devices could be fully compromised. However, it’s stated that the vulnerability could escalate to device-level compromise on Android under certain circumstances.
Related: Hackers discover new methods to conceal malware within Ethereum smart contracts
Even without complete device access, the malicious code could “attempt overlays, input capture, or screen scraping,” posing risks to personal credentials or crypto wallet seed phrases, the sources warned.
How to safeguard yourself
The sources recommend mobile gamers to update any Unity-based games as patches become available and to refrain from sideloading, which includes installing apps from unofficial or third-party app stores or downloading Android Application Packages (APKs) from unverified websites.
Sideloaded apps have not undergone scrutiny by Google Play’s security measures, enabling malicious actors to distribute altered versions of legitimate games that take advantage of the Unity flaw. Additionally, sideloaded apps will not automatically receive security updates or patches when Unity issues fixes.
Users should also review their device permissions and disable unnecessary overlays or accessibility services while gaming.
Finally, practicing risk segregation—keeping crypto wallets on a different device or account from gaming—is advisable.
This is an evolving story, and further information will be updated as it becomes available.
Magazine: Pudgy Penguins’ ‘masterpiece’ Pudgy Party surpasses 500K downloads: Web3 Gamer
