Unity Technologies has fixed a recently discovered vulnerability that allowed malicious actors to execute arbitrary code in Android-based games. Security experts had previously warned that the flaw could potentially put cryptocurrency users at risk.
On Friday, Unity announced a security patch addressing the issue, which was first identified in June. Larry “Major Nelson” Hryb, Director of the Unity Community, explained that the vulnerability could allow local code execution and access to sensitive information on devices running Unity-based applications. He emphasized, however, that there is no evidence of the flaw being exploited, and no users or clients have been affected.
The flaw affected projects dating back to 2017, including Android mobile apps as well as games for Windows, macOS, and Linux.
Recommendations for Developers and Users
Unity strongly urges developers to update their Unity Editor to the latest version, rebuild all games with the patched editor, and republish them so end users can receive updates and protection automatically.
Mobile users are advised to:
- keep devices updated with the latest OS versions,
- enable automatic updates,
- use up-to-date antivirus software.
Security researcher RyotaK from GMO Flatt Security noted that the vulnerability allowed malicious apps on the same device to intercept permissions granted to Unity applications, theoretically enabling remote execution of arbitrary code.
Microsoft’s Response
Microsoft also issued guidance for Windows game developers, who are working to update all apps potentially affected by the vulnerability. Console games are not impacted.
Some studios, including Obsidian Entertainment, temporarily removed several games from digital stores while the fix is applied. Updates to Windows Defender and other security tools have already been implemented to enhance protection.
Unity remains a leading platform for building real-time games and applications across multiple platforms, supporting over 70% of the world’s top 1,000 mobile games.
