Unity Technology fixes Android mobile bug, denies exploit

Unity Technologies has released a patch to fix a security vulnerability that could have allowed malicious code execution in Android games built with its platform, potentially stealing credentials such as crypto wallet seed phrases. 

In its security update advisory, Unity stated that the bug posed a high-severity risk; however, there is no evidence of exploitation or user impact. It was first identified on June 4 by cybersecurity researcher RyotaK of GMO Flatt Security Inc., and classified as CWE-426: Untrusted Search Path. 

Unity Technologies, a provider of real-time 3D development tools, powers over 70% of the world’s top 1,000 mobile games.

Unity bug affected editor versions, exposed apps to file loading

According to the disclosure, the vulnerability affected several platforms, including Android, Windows, macOS, and Linux. A patched version of the Unity Runtime was released on October 2, and developers are being urged to update their software to avoid the risk of exploits.

The vulnerability, with a CVSS score of 8.4, was also mentioned by RyotaK. It states that malicious apps installed on devices could hijack permissions granted to Unity-built apps, allowing attackers to execute arbitrary code remotely.

Director of community Larry “Major Nelson” Hryb published a security advisory saying applications that used affected Unity Editor versions were vulnerable to file loading and local file inclusion attacks.

Attackers could exploit this flaw to gain access at the privilege level of the vulnerable application. Windows systems faced double the risk if a registered custom URI handler existed, which attackers could use to trigger library-loading remotely.

The vulnerable Unity Runtime, present in builds made before October 2, allowed “argument injection,” which could result in the loading of code from unintended locations. If compromised, an adversary could run arbitrary commands or exfiltrate confidential information from an affected device.

Patch is live, projects start rebuilding

Unity confirmed late last week that patches are now available for all developers and has advised developers to rebuild their projects with a patched version of the Unity Editor. The firm also recommended applying the Unity Application Patcher to existing Android, Windows, or macOS builds, followed by testing and redeployment.

In the official statement, Unity reiterated that “no evidence of active exploitation” had been found and that no customers were affected. The company added that immediate mitigation steps were communicated to developers to prevent any future exposure.

On Android, the issue could lead to code execution or elevation of privilege, while on Windows, Linux (desktop and embedded), and macOS, the flaw could have resulted in privilege risks. Unity’s advisory noted that console games were not affected, although mobile and desktop applications built on vulnerable Unity versions were exposed to threats.

Last Friday, Microsoft also issued a related security alert confirming that Windows-based game development teams were reviewing and updating any potentially affected titles. Windows Defender has since been updated to detect and block any known exploits related to the exploit.

Hackers using games to steal private data

The broader gaming industry has been facing threats from malicious software, developed by hackers who have disguised games, even downloadable content, as legitimate content. Hackers hide malware in popular games, demos, or mods distributed through unofficial channels. 

Gamers could unknowingly aid hackers by downloading pirated versions of titles like Grand Theft Auto V, God of War, or Mortal Kombat 1 laced with hidden malware, such as Crackonosh. Once installed, the computer virus covertly harnesses the user’s computer resources to mine digital currencies like Monero (XMR) “silently.”

Some malicious actors inject harmful code through post-launch updates or redirect users to external sites hosting infected files. After successfully tricking gamers to download the loaded game, they steal personal data, gaming or crypto wallet credentials. 

In his statement, Hryb called on developers and users to always update their operating systems, enable automatic updates, and use reliable antivirus software. He also said security was a “shared responsibility” in gaming because millions of users interact with Unity-powered applications on a day-to-day basis.

Join a premium crypto trading community free for 30 days - normally $100/mo.