A temporary hijacking of the AppsFlyer Web SDK allowed attackers to distribute malicious JavaScript code designed to steal cryptocurrency from unsuspecting users. The compromised script intercepted wallet addresses entered on websites and replaced them with attacker-controlled destinations, diverting funds to threat actors. AppsFlyer's platform serves approximately 15,000 businesses supporting over 100,000 applications, making this supply chain incident potentially far-reaching.
Profero researchers discovered obfuscated JavaScript being delivered from the official websdk.appsflyer.com domain between March 9 and March 11. The malicious code preserved normal SDK functionality while secretly monitoring browser network requests for cryptocurrency wallet inputs across Bitcoin, Ethereum, Solana, Ripple, and TRON networks. When detected, original wallet addresses were replaced and exfiltrated along with associated metadata.
AppsFlyer confirmed a domain registrar incident exposed the web SDK to unauthorized code during this window, though the mobile SDK remained unaffected. The company stated no evidence suggests customer data on their systems was accessed, and direct communications were sent to affected customers. The investigation continues with external forensic experts.
Organizations using the SDK are advised to review telemetry logs for suspicious API requests and revert to known-good versions. This incident follows earlier claims by the ShinyHunters group that they leveraged AppsFlyer's SDK in a supply chain breach against Match Group, compromising over 10 million user records from dating platforms including Hinge and OkCupid.
Read more...