AppsFlyer SDK hijacked in supply-chain attack targeting cryptocurrency

The AppsFlyer Web SDK was temporarily compromised with malicious code inserted to steal cryptocurrency. The attack involved intercepting cryptocurrency wallet addresses entered on websites and replacing them with attacker-controlled addresses to divert funds. This incident impacts thousands of applications and their end users, as reported by Bleeping Computer.

Profero researchers discovered that the AppsFlyer SDK, used by over 15,000 businesses for marketing analytics, was serving obfuscated JavaScript from its official domain. This malicious code preserved normal SDK functions but secretly monitored browser network requests for cryptocurrency wallet addresses. It targeted Bitcoin, Ethereum, Solana, Ripple, and TRON, replacing legitimate addresses with those controlled by the attackers.

AppsFlyer confirmed a domain registrar incident on March 10 that temporarily exposed the Web SDK to unauthorized code, though the mobile SDK was unaffected. The vendor stated the issue has been resolved. Organizations using the AppsFlyer Web SDK should review telemetry logs for suspicious activity, consider downgrading to known-good versions, and investigate potential compromises.

Source: Bleeping Computer