The Unity gaming platform is subtly initiating a fix for a vulnerability that permits third-party code to execute in Android-based mobile games, potentially targeting mobile crypto wallets, as per two anonymous sources.
This vulnerability affects projects from as far back as 2017, the sources indicated, adding that while it mainly impacts Android, Windows, macOS, and Linux systems are also affected to varying extents.
Unity has started to distribute fixes and a standalone patch tool privately to select partners, according to the sources, but public guidance is not anticipated until Monday or Tuesday of next week.
Cointelegraph reached out to Unity for additional details but did not receive an immediate reply.
A Google spokesperson informed Cointelegraph that they are aware of the vulnerability.
“Unity is providing a patch to app developers to rectify this issue, and developers should update their apps immediately,” said the spokesperson.
“Google Play will assist developers in swiftly releasing patched versions of their apps. According to our current detections, malicious apps exploiting this vulnerability are not present on Play,” they added.
Unity is one of the world’s most popular game engines
Based in San Francisco, Unity Technologies is responsible for Unity, a leading platform of tools for creators to construct and expand real-time games, apps, and experiences across various platforms. Unity powers over 70% of the top thousand mobile games, and more than 50% of new mobile games are developed using Unity, according to the company.
Potential threat to crypto wallets
The sources characterized the threat as an “in-process code injection,” but did not verify whether devices could be commandeered. However, the sources indicated that the vulnerability could escalate to a device-level compromise on Android under specific conditions.
Related: Hackers find new way to hide malware in Ethereum smart contracts
Even without complete device access, the malicious code could “attempt overlays, input capture, or screen scraping,” potentially targeting personal credentials or crypto wallet seed phrases, the sources cautioned.
How to protect yourself
The sources advised mobile gamers to update any Unity-based games as patches become available and to avoid sideloading, which includes installing apps from non-official or third-party app stores or downloading Android Application Packages (APKs) from websites.
Sideloaded apps have not been screened by Google Play’s security systems, meaning malicious actors could spread modified versions of legitimate games that take advantage of the Unity flaw. Sideloaded apps also won’t automatically receive security updates or patches once Unity releases fixes.
Users should also review their device permissions and disable unnecessary overlays or accessibility services that may operate during gameplay.
Lastly, it is advised to practice risk segregation, keeping crypto wallets on a separate device or account from gaming activities.
This is a developing story, and further information will be updated as it becomes available.
Magazine: Pudgy Penguins’ ‘masterpiece’ Pudgy Party tops 500K downloads: Web3 Gamer
