Unity Android game vulnerability was addressed when the firm rolled out a patch for the bug it detected back in June. Despite the lapse of a fix for a few months, the director mentioned that there was no exploitation of the vulnerability recorded.
Tool provider for games, virtual reality (VR), and augmented reality (AR) experiences, Unity Technology, diagnosed a bug in its code in June after a third-party researcher flagged it up. The Unity Android bug was vulnerable to a third-party running code, which experts stated was risky to crypto users.
However, there was neither evidence of exploitation nor any customer impacted. The Unity security update advisory read, “There is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers. Unity has provided fixes that address the vulnerability, and they are already available to all developers.
“In its default configuration, this vulnerability allowed malicious applications installed on the same device to hijack permissions granted to Unity applications.
In specific cases, the vulnerability could be exploited remotely to execute arbitrary code, although I didn’t investigate third-party Unity applications to find an app with the functionality required to enable this exploit,” stated a security engineer at GMO Flatt Security Inc.
Unity had this feature to support debugging Unity applications on Android devices. This activity serves as the default entry point for applications and is exported to other applications. But the hiccup was Android’s permission model grants permissions to applications, and it does not restrict which intents/ code can be sent to an application.
Because of this setup, other apps can also see or send messages to your Unity app (since it’s “exported”), which is useful for debugging — but can be risky if you leave it that way in a public (production) app.
