Unity Android Vulnerability Raises Alarm Over Cryptocurrency Wallets

A critical flaw in the Unity game engine could enable unauthorized code execution in Android mobile games, jeopardizing users’ cryptocurrency wallets, as reported by reliable sources.

The vulnerability dates back to 2017 and is said to primarily impact Android devices, although Windows, macOS, and Linux may experience varying effects.

Unity is reportedly distributing fixes and a standalone patching utility to select partners but has yet to announce public guidance, expected next week.

Cointelegraph reached out to Unity for comments but received no response. A Google representative confirmed awareness of the issue, stating, “Unity is making a patch available to app developers to fix this issue, and developers should update their apps immediately.” They also assured, “Google Play will support helping developers release patched versions of their apps as quickly as possible, though currently detected malicious apps exploiting this vulnerability are not present on the Play Store.”

The Influence of Unity in Gaming

Unity Technologies, based in San Francisco, is the powerhouse behind Unity, a prominent toolset for developing games and interactive experiences across platforms. Notably, Unity is used in over 70% of the top mobile games, with more than half of new releases being created using its tools.

Harold Halibut Harold Halibut: an example of a recent game developed with Unity.

Significant Risks to Cryptocurrency Wallets

The sources have labeled the risk as an “in-process code injection,” warning that it could lead to more severe device compromises under certain circumstances.

Even in the absence of full-device access, the malicious code could potentially conduct overlay attacks, input capture, or screen scraping to extract personal credentials and sensitive information like crypto wallet seed phrases.

Precautions for Gamers

Advisory from sources suggests mobile gamers update their Unity-based games as patches are released and to avoid sideloading applications from unofficial sources that may not be screened for security, as these could exploit the vulnerability. Sideloaded applications won’t receive automatic updates either when patches are released.

Furthermore, users are encouraged to review device permissions and deactivate unnecessary overlays or accessibility services during gameplay. Practicing risk segregation by maintaining crypto wallets on distinct devices or accounts separate from gaming activities is also recommended.

This situation is evolving, and more updates will be provided as they arise.