AppsFlyer SDK Hijacked to Steal Crypto in New Attack
▼ Summary
– The AppsFlyer Web SDK was hijacked in a supply-chain attack, delivering malicious code that stole cryptocurrency by replacing wallet addresses on websites.
– The malicious payload was obfuscated, preserved normal SDK functions, and targeted major cryptocurrencies like Bitcoin and Ethereum.
– The compromise, discovered by Profero researchers, impacted thousands of applications due to the SDK’s widespread use for marketing analytics.
– AppsFlyer confirmed the incident was a domain registrar issue affecting the web SDK, but stated the mobile SDK was safe and customer data was not accessed.
– Organizations using the SDK are advised to review logs and downgrade to safe versions, as the full scope and cause of the incident remain under investigation.
A widely used marketing analytics tool was compromised this week, with its web software component temporarily delivering malicious code designed to steal cryptocurrency. This supply-chain attack leveraged the AppsFlyer Web SDK to intercept and replace digital wallet addresses on websites, diverting funds to attackers. The SDK is integrated into thousands of applications for tracking user engagement, meaning the potential impact reached a significant number of end-users globally.
Security researchers at Profero identified the suspected compromise, confirming that obfuscated, attacker-controlled JavaScript was being delivered to visitors of sites using the SDK. The malicious activity was traced to the official domain, `websdk.appsflyer.com`, with reports from multiple users corroborating the findings. While AppsFlyer’s public status page initially noted only a domain availability issue on March 10, the investigation revealed a more serious breach.
The injected code was crafted to maintain the SDK’s normal functions to avoid detection. In the background, however, it decoded hidden strings and hooked into browser network traffic. Its primary function was to monitor web pages for cryptocurrency transactions. Upon detecting a user entering a wallet address, the malware would silently swap it for an address controlled by the threat actor. The original address and related metadata were then stolen. The script targeted a broad range of cryptocurrencies, including Bitcoin, Ethereum, Solana, Ripple, and TRON, covering most mainstream transaction types.
Profero estimates the exposure window likely spanned from March 9 to March 11, though the full scope and root cause remain under investigation. This incident underscores a critical risk: threat actors can exploit the inherent trust in widely deployed third-party software development kits to attack downstream websites, apps, and their users.
In response to inquiries, an AppsFlyer spokesperson acknowledged that unauthorized code was delivered through its Web SDK due to a domain registrar incident detected on March 10. The company emphasized that its mobile SDK was not affected and stated its investigation has found no evidence that customer data stored on AppsFlyer’s own systems was accessed. “We take this incident very seriously and have been actively communicating with customers,” the company stated, confirming the issue is now resolved and the web SDK is safe to use again.
Given the uncertainties surrounding the incident’s exact mechanics and breadth, organizations using the SDK are advised to take precautionary steps. This includes reviewing telemetry logs for any suspicious API requests originating from the compromised domain, reverting to known-stable versions of the SDK, and investigating systems for signs of compromise.
This is not the first time AppsFlyer has been linked to a major security issue. Earlier this year, the ShinyHunters threat group claimed it used the SDK as a vector in a supply-chain attack against Match Group, allegedly leading to the theft of over 10 million user records from dating platforms like Hinge, Match.com, and OkCupid.
(Source: Bleeping Computer)
