Unity Android flaw could drain gamers’ crypto wallets: How to protect yourself

The Unity gaming platform is quietly rolling out a fix for a vulnerability that allows third-party code to run in Android-based mobile games, which can potentially target mobile crypto wallets, according to two sources who asked to remain anonymous. 

The vulnerability affects projects dating back to 2017, according to the sources, who added that the vulnerability primarily affects Android, but Windows, macOS and Linux systems are also affected to varying degrees.

Unity has begun distributing fixes and a standalone patching tool privately to selected partners, according to the sources, but public guidance isn’t expected until Monday or Tuesday of next week. 

Cointelegraph contacted Unity for further information, but did not receive an immediate response. 

A Google spokesperson told Cointelegraph they are aware of the vulnerability. 

“Unity is making a patch available to app developers to fix this issue, and developers should update their apps immediately,” the spokesperson said. 

“Google Play will support helping developers release patched versions of their apps as quickly as possible. Based on our current detections, malicious apps exploiting this vulnerability are not found on Play,” they added. 

Unity is one of the world’s most popular game engines

San Francisco-based Unity Technologies is behind Unity, a leading platform of tools for creators to build and grow real-time games, apps, and experiences across multiple platforms. Unity powers over 70% of the top thousand mobile games, and more than 50% of new mobile games are created in Unity, according to the company. 

Harold Halibut: one of the latest games made with the Unity engine. Source: Unity

Potential threat to crypto wallets

The sources described the threat as an “in-process code injection,” but did not confirm whether devices could be taken over. However, the sources said the path could escalate to device-level compromise on Android under certain conditions.

Even without full device access, the malicious code could “attempt overlays, input capture, or screen scraping,” which could target personal credentials or crypto wallet seed phrases, the sources warn. 

How to protect yourself 

The sources have advised mobile gamers to update any Unity-based games as patches roll out and avoid sideloading, such as installing apps from non-official or third-party app stores or downloading Android Application Packages (APKs) from websites. 

Sideloaded apps have not been screened by Google Play’s security systems, so malicious actors could distribute modified versions of legitimate games that exploit the Unity flaw. Sideloaded apps also won’t automatically receive security updates or patches when Unity releases fixes. 

Users should also check their device permissions and disable unnecessary overlays or accessibility services that run while gaming.

Finally, risk segregation, where crypto wallets are kept on a separate device or account from gaming, should be practiced.