Crypto and gaming apps built with Unity are facing a security issue, as a vulnerability allows a malicious app already on devices to coerce a vulnerable Unity app into loading hostile code.
Unity revealed the vulnerability CVE-2025-59489 on Oct. 2, noting that code runs with the game’s own permissions on Android, enabling local code execution.
On desktop platforms, the risk centers on elevation of privilege. Unity says there’s no evidence of exploitation in the wild, but urges swift updates. The bug forces Unity’s runtime to accept specific pre-initialization arguments that influence where it searches for native libraries.
If an attacker can control that search path, the Unity app may load and execute the attacker’s library. Security firm GMO Flatt explained that the product trusts resources found on an external or attacker-influenced path.
How to check the threat to crypto-related apps
Many Unity-built apps integrate wallet SDKs, custodial logins, or WalletConnect-style sessions. Code injected into that specific Unity app can read its private files, hijack its WebView, call the same signing APIs, or exfiltrate session tokens.
Although the code does not jump sandboxes to drain unrelated wallet apps, the vulnerable Unity app holds keys or can request signatures via Android Keystore. As a result, an attacker can piggyback permitted actions.
Unity’s own advisory stressed that impact is confined to the app’s privileges, exactly the permissions a game-embedded wallet would rely on.
To check if a device is affected, the first step is to check the apps’ store pages’ date. On Android, if a game or wallet-enabled app shows an update on or after Oct. 2, it is likely that the developer has rebuilt with a fixed Unity editor or applied Unity’s patch.
On the other hand, earlier builds should be treated as potentially vulnerable until they are updated. Unity emphasized there is no known exploitation so far, but exposure exists if users also install malicious apps that can trigger the pathway.
Keeping Play Protect enabled, avoiding sideloaded applications, and pruning suspicious apps are among the recommended practices to stay safe while waiting for updates.
For developers, it is recommended to check which Unity editor produced the Android build in use and compare it to Unity’s fixed versions table.
Patched versions include 6000.0.58f2 (Unity 6 LTS), 2022.3.67f2, and 2021.3.56f2. Unity also published the first fixed tags for out-of-support streams back to 2019.1. Any builds predating the versions described must be treated as exploit angles
Staying alert
Even after patching the issue, users should treat wallet-integrated flows defensively. Ensuring seed phrases are never stored in plaintext and enforcing biometric prompts for every transfer are good practices.
Additionally, users can leverage Android Keystore for keys that require explicit user confirmation for all signing operations.
Disconnecting any lingering WalletConnect sessions and keeping larger balances on a hardware wallet until developers confirm the patched Unity build is live is a helpful extra step. These measures reduce the blast radius, even if a future path-loading bug were to be discovered.
Although CVE-2025-59489 is serious, it has well-defined fixes and clear operating guidance that users and developers can follow to stay safe.
Source: https://cryptoslate.com/can-a-unity-android-bug-drain-your-wallet-heres-how-to-check/
