Unity is quietly rolling out a fix for a security flaw that allows unauthorized third-party code to run inside Android-based mobile games, creating a potential threat to mobile crypto wallets, according to two sources familiar with the matter.
The issue traces back to projects as early as 2017. While Android is the primary platform affected, the sources noted that Windows, macOS, and Linux versions are also exposed to varying degrees.
To address the vulnerability, Unity has begun privately distributing security updates and a standalone patching tool to select partners. Broader public guidance is expected early next week, sources said.
When contacted by Cointelegraph, Unity did not immediately respond.
A Google spokesperson, however, confirmed awareness of the flaw:
“Unity is making a patch available to app developers to fix this issue, and developers should update their apps immediately,” the spokesperson said.
“Google Play will support developers in releasing patched versions of their apps as quickly as possible. Based on our current detections, malicious apps exploiting this vulnerability have not been found on Play.”
Unity’s Market Impact
San Francisco–based Unity Technologies is the company behind Unity, one of the world’s most widely used game engines. More than 70% of the top 1,000 mobile games are built with Unity, and over half of all new mobile games use the platform, according to the company’s own figures.
Potential Threat to Crypto Wallets
According to sources, the vulnerability involves an “in-process code injection” that could allow malicious code to run inside Unity-based apps. While it remains unclear whether the flaw enables full device takeover, the sources warned that under certain conditions, it could escalate to a device-level compromise on Android.
Even without total control of a device, attackers could still use the flaw to launch overlays, capture inputs, or perform screen scraping—techniques that put sensitive information such as login credentials or crypto wallet seed phrases at risk.
How to Protect Yourself
Security experts recommend several precautions for mobile gamers:
- Update Unity-based games as soon as patches are released.
- Avoid sideloading apps—do not install games from unofficial stores or download APKs from random websites, as these may contain modified versions designed to exploit the flaw.
- Rely on Google Play for app updates, since sideloaded apps will not receive automatic security fixes.
- Review device permissions and disable unnecessary overlays or accessibility services that remain active while gaming.
- Separate your risk by keeping crypto wallets on a different device or account from the one used for gaming.
