Unity Technology fixes Android mobile bug, denies exploit

Source Cryptopolitan

Unity Technologies has released a patch to fix a security vulnerability that could have allowed malicious code execution in Android games built with its platform, potentially stealing credentials such as crypto wallet seed phrases. 

In its security update advisory, Unity stated that the bug posed a high-severity risk; however, there is no evidence of exploitation or user impact. It was first identified on June 4 by cybersecurity researcher RyotaK of GMO Flatt Security Inc., and classified as CWE-426: Untrusted Search Path. 

Unity Technologies, a provider of real-time 3D development tools, powers over 70% of the world’s top 1,000 mobile games.

Unity bug affected editor versions, exposed apps to file loading

According to the disclosure, the vulnerability affected several platforms, including Android, Windows, macOS, and Linux. A patched version of the Unity Runtime was released on October 2, and developers are being urged to update their software to avoid the risk of exploits.

The vulnerability, with a CVSS score of 8.4, was also mentioned by RyotaK. It states that malicious apps installed on devices could hijack permissions granted to Unity-built apps, allowing attackers to execute arbitrary code remotely.

Director of community Larry “Major Nelson” Hryb published a security advisory saying applications that used affected Unity Editor versions were vulnerable to file loading and local file inclusion attacks.

Attackers could exploit this flaw to gain access at the privilege level of the vulnerable application. Windows systems faced double the risk if a registered custom URI handler existed, which attackers could use to trigger library-loading remotely.

The vulnerable Unity Runtime, present in builds made before October 2, allowed “argument injection,” which could result in the loading of code from unintended locations. If compromised, an adversary could run arbitrary commands or exfiltrate confidential information from an affected device.

Patch is live, projects start rebuilding

Unity confirmed late last week that patches are now available for all developers and has advised developers to rebuild their projects with a patched version of the Unity Editor. The firm also recommended applying the Unity Application Patcher to existing Android, Windows, or macOS builds, followed by testing and redeployment.

In the official statement, Unity reiterated that “no evidence of active exploitation” had been found and that no customers were affected. The company added that immediate mitigation steps were communicated to developers to prevent any future exposure.

On Android, the issue could lead to code execution or elevation of privilege, while on Windows, Linux (desktop and embedded), and macOS, the flaw could have resulted in privilege risks. Unity’s advisory noted that console games were not affected, although mobile and desktop applications built on vulnerable Unity versions were exposed to threats.

Last Friday, Microsoft also issued a related security alert confirming that Windows-based game development teams were reviewing and updating any potentially affected titles. Windows Defender has since been updated to detect and block any known exploits related to the exploit.

Hackers using games to steal private data

The broader gaming industry has been facing threats from malicious software, developed by hackers who have disguised games, even downloadable content, as legitimate content. Hackers hide malware in popular games, demos, or mods distributed through unofficial channels. 

Gamers could unknowingly aid hackers by downloading pirated versions of titles like Grand Theft Auto V, God of War, or Mortal Kombat 1 laced with hidden malware, such as Crackonosh. Once installed, the computer virus covertly harnesses the user’s computer resources to mine digital currencies like Monero (XMR) “silently.”

Some malicious actors inject harmful code through post-launch updates or redirect users to external sites hosting infected files. After successfully tricking gamers to download the loaded game, they steal personal data, gaming or crypto wallet credentials

In his statement, Hryb called on developers and users to always update their operating systems, enable automatic updates, and use reliable antivirus software. He also said security was a “shared responsibility” in gaming because millions of users interact with Unity-powered applications on a day-to-day basis.

Join a premium crypto trading community free for 30 days - normally $100/mo.

Disclaimer: For information purposes only. Past performance is not indicative of future results.
placeholder
Samsung Electronics Forecasts Stronger-Than-Expected Q3 Profit on AI Demand Samsung forecasts Q3 profit of 12.1 trillion won, boosted by strong AI chip demand.
Author  Mitrade
Oct 14, Tue
Samsung forecasts Q3 profit of 12.1 trillion won, boosted by strong AI chip demand.
placeholder
Dollar Gains as US-China Trade Tensions Ease The U.S. dollar remained steady on Tuesday following a shift in President Donald Trump’s harsh stance on tariffs against China.
Author  Mitrade
Oct 14, Tue
The U.S. dollar remained steady on Tuesday following a shift in President Donald Trump’s harsh stance on tariffs against China.
placeholder
Asian Stocks Mixed as Commodities Pause and Yen Draws AttentionAsian equity markets struggled to close the week on a weak note Friday, influenced by ongoing losses on Wall Street that extended into early Asian trading.
Author  Mitrade
Oct 10, Fri
Asian equity markets struggled to close the week on a weak note Friday, influenced by ongoing losses on Wall Street that extended into early Asian trading.
placeholder
Oil Prices Hold Steady Amid Gaza Ceasefire and US Sanctions Oil prices held steady in early Asian trading on Friday following the announcement of a ceasefire between Israel and Hamas.
Author  Mitrade
Oct 10, Fri
Oil prices held steady in early Asian trading on Friday following the announcement of a ceasefire between Israel and Hamas.
placeholder
Bitcoin drops below $110K ahead of $22B options expiry; altcoins tumbleBitcoin fell below the $110,000 mark on Friday, heading for a steep weekly loss as nearly $22 billion in cryptocurrency options were set to expire. The drop also comes as traders await key U.S. inflation data that could influence the Federal Reserve’s policy outlook.
Author  Mitrade
Sept 26, Fri
Bitcoin fell below the $110,000 mark on Friday, heading for a steep weekly loss as nearly $22 billion in cryptocurrency options were set to expire. The drop also comes as traders await key U.S. inflation data that could influence the Federal Reserve’s policy outlook.
goTop
quote