Unity Technology has patched a major vulnerability that could allow bad actors to execute malicious code and access sensitive user data, targeting crypto users through apps built with its popular Unity game engine.
Unity released a patch on Friday, targeting the flaw that was first discovered in June by security researchers and later flagged internally.
What are the risks?
The breach originated from a flaw in Unity’s Android build environment that enabled “in-process code injection,” allowing malicious software on the same device to exploit permissions granted to Unity-based applications, two people familiar with the matter told Cointelegraph.
Separately, research published by GMO Flatt Security researcher RyotaK, had warned that this vulnerability could potentially give bad actors access to a range of exploits, from unauthorised overlays to input capture and screen scraping, placing sensitive information such as passwords and crypto wallet seed phrases at risk.
However, even without direct control of the device, RyotaK warned that attackers could still deploy stealth techniques to intercept credentials or mimic trusted user interfaces to trick people into revealing confidential information.
The vulnerability reportedly affected Unity-based projects dating back as far as 2017, with Android applications bearing the highest exposure.
Windows, macOS, and Linux systems were also impacted to varying degrees, although researchers have not yet confirmed whether the flaw could escalate to a full device takeover.
According to unnamed sources cited by Cointelegraph, crypto users were particularly vulnerable, especially since mobile games are often installed alongside wallets or other financial applications on the same device, thereby increasing the attack surface for malicious actors.
Notably, sideloaded apps, versions of Unity games distributed outside official app stores, could pose the greatest threat because they are not screened by Google Play’s security systems and do not automatically receive updates or patches.
As of now, Unity Technologies says it has no evidence that the vulnerability has been exploited in the wild, and Google confirmed that no malicious apps exploiting the flaw have been detected on the Play Store.
“Google Play will support helping developers release patched versions of their apps as quickly as possible. Based on our current detections, malicious apps exploiting this vulnerability are not found on Play,” a Google spokesperson told crypto media.
However, developers have been urged to update their Unity Editor installations with the patched version and rebuild and republish any affected applications so users can download secure updates.
Mobile gamers, meanwhile, are being advised to enable automatic updates, avoid sideloading from unverified sources, review device permissions, and disable unnecessary overlays or accessibility services that run while gaming.
Security specialists also recommended practising risk segregation, such as keeping cryptocurrency wallets on a separate device or account from gaming applications, to minimise potential fallout from exploits.
Bad actors target crypto apps on ios & android
Although the recent vulnerability did not directly target crypto users, the community remains at risk, especially in light of past incidents that have exposed significant security gaps across both Android and iOS platforms.
Earlier this year, a malicious app known as BOM was found to be stealing sensitive wallet data by requesting unnecessary permissions and scanning device storage for private keys and recovery phrases.
BOM masqueraded as a legitimate blockchain tool, ultimately siphoning more than $1.8 million in crypto assets from at least 13,000 victims before disappearing from storefronts.
In another case, the SparkCat malware campaign used optical character recognition technology to extract wallet seed phrases from screenshots stored on infected devices.
Distributed through seemingly harmless apps, the malware managed to infiltrate both the Google Play Store and Apple’s App Store, marking one of the first known examples of OCR-based attacks targeting iOS users.
The post Unity patches critical game engine flaw that could target crypto users appeared first on Invezz
