Unity is quietly sending a fix for a security flaw that lets third-party code run inside Android mobile games, sources say. The problem traces back to projects as early as 2017 and mainly hits Android, though Windows, macOS and Linux can be affected to different degrees.
Unity has started sharing patches and a separate tool with select partners, while public guidance is expected on Monday or Tuesday next week. The flaw matters because injected code could try to steal credentials or target crypto wallet seed phrases.
What the bug does?
Sources described the issue as an in-process code injection, and that means outside code can be loaded into a running game. The reports did not confirm whether a device can be fully taken over.
They did say that, under some conditions on Android, the path could lead to a deeper compromise. Even without a full takeover, malicious code could show fake screens, capture input, or scrape what is on screen. Those actions can expose passwords and sensitive keys.
Unity response and Google reaction
Unity has started to hand out fixes privately to chosen partners, and it has also given a standalone patch tool to some developers to speed up fixes. Public guidance is not yet out, but it is due early next week.
A Google spokesperson said Unity is offering a patch and urged developers to update their apps right away. The spokesperson added that Google Play will help developers push patched app versions quickly, and that current scans do not show malicious apps exploiting the flaw on Play.
Also Read: Blockchain Gaming Giant PlaysOut In Talks To Raise Up To $15M At Valuation Above $150M
Why this matters?
Unity is a major game engine, and the company says it powers over 70% of the top 1,000 mobile games and that more than 50% of new mobile games are made in Unity.
An issue in that engine can reach many titles, and a vulnerability that lets outside code run inside a game creates a large attack surface.Â
Mobile gamers who also use crypto wallets on the same device could face risk if an attacker can overlay a fake wallet screen or log keystrokes.
Risk to crypto users
The sources warned that overlays, input capture, and screen scraping are realistic attack steps. These can be used to harvest credentials and seed phrases for crypto wallets.
For people who keep wallets on their phones, the consequence could be direct theft. The sources also said sideloaded apps are especially dangerous because they bypass Play’s vetting and do not get automatic updates. Modified versions of legitimate games could be used to spread malware that exploits this vulnerability.
What developers should do?
Developers who work with Unity should apply the private patch or the standalone tool as soon as they receive it. They should also watch for Unity’s public instructions next week and plan app updates for distribution through official stores.
Teams that support sideloaded installs should warn users to update or remove unsigned copies. Testing patched builds on multiple platforms is important because the flaw can behave differently on Windows, macOS and Linux.
The next few days will reveal how widely the flaw was exploited in the wild and how quickly fixes reach players. If patched apps appear quickly on official stores, the risk to most users will drop.
If not, bad actors could try to exploit sideloaded or unpatched apps. For now, updating games and isolating wallets remain the simplest and most effective steps players can take to reduce their risk.
Also Read: Web3 Gaming Project RuneSoul Secures $4 Million Funding Led By Bitgo Capital