AppsFlyer Web SDK Temporarily Hijacked in Supply-Chain Attack, Distributing Cryptocurrency Stealer

The AppsFlyer Web SDK, a widely adopted platform for marketing analytics, experienced a temporary but significant compromise this week, becoming a conduit for a sophisticated supply-chain attack that injected malicious JavaScript code designed to steal cryptocurrency. The incident, discovered by cybersecurity researchers, highlights the pervasive risks associated with third-party software dependencies and the evolving tactics of threat actors targeting the digital economy. The payload, once activated, possessed the capability to intercept cryptocurrency wallet addresses entered by users on compromised websites and surreptitiously replace them with attacker-controlled addresses, thereby diverting digital assets to the threat actors. Given the extensive reach of AppsFlyer’s SDK, the potential impact on end-users across a vast number of applications is considerable.

Understanding the Scope of the Compromise

AppsFlyer’s SDK platform is a cornerstone for many businesses, serving an estimated 15,000 companies globally and integrated into over 100,000 mobile and web applications. It functions as a leading "mobile measurement partner" (MMP), crucial for tracking the effectiveness of marketing campaigns, attributing user acquisitions, and monitoring in-app events. This widespread integration means that a compromise of the SDK could have far-reaching consequences, affecting a significant portion of the internet’s user base that interacts with applications relying on AppsFlyer for analytics.

The initial detection of this malicious activity was attributed to researchers at Profero. Their investigation confirmed the presence of obfuscated JavaScript code, controlled by attackers, being delivered to users visiting websites and applications that had integrated the AppsFlyer Web SDK. This injected code was designed with a degree of stealth, aiming to preserve the normal functionality of the SDK while surreptitiously executing its malicious agenda in the background.

AppsFlyer itself has acknowledged an incident, though their public statements have focused on a "domain availability issue" reported on their status page on March 10, 2026. This official acknowledgement, however, does not fully detail the nature of the malicious code distribution, which was subsequently confirmed by BleepingComputer’s inquiries.

A Chronology of Discovery and Response

The timeline of this incident, as pieced together by researchers and the company, paints a picture of a rapidly unfolding and potentially impactful attack:

• March 9, 2026: Profero researchers identified a malicious payload being served by the AppsFlyer SDK. This payload originated from the official domain, websdk.appsflyer.com. The findings were also corroborated by multiple user reports on platforms like Reddit, signaling a growing concern within the cybersecurity community.
• March 10, 2026: AppsFlyer published a "domain availability issue" on its status page, a notice that appears to align with the timeframe of the detected compromise.
• Post-Discovery: Researchers at Profero released their findings, detailing the sophisticated nature of the attack. They emphasized how threat actors can exploit the trust placed in widely deployed third-party SDKs to impact downstream systems and end-users.
• BleepingComputer Inquiry: Upon learning of Profero’s findings, BleepingComputer reached out to AppsFlyer for clarification and confirmation.
• AppsFlyer Confirmation: A spokesperson for AppsFlyer confirmed to BleepingComputer that unauthorized code was indeed delivered through the AppsFlyer Web SDK due to a domain registrar incident. They stated that the incident was detected and contained on March 10.

The duration of the exposure window, according to researchers, likely spanned from March 9, 22:45 UTC, to March 11. It remains unclear whether the compromise extended beyond this period or affected SDK users outside of these specific dates.

The Mechanics of the Cryptocurrency Stealer

The injected JavaScript code was engineered to be particularly insidious. It was not designed to immediately disrupt the user experience or flag itself as suspicious. Instead, it operated by:

1. Preserving Normal SDK Functionality: The primary goal was to blend in, ensuring that the legitimate functions of the AppsFlyer SDK continued to operate without raising immediate alarms.
2. Runtime Obfuscation and Decoding: The malicious code contained obfuscated strings that were decoded at runtime, making static analysis more challenging for security tools.
3. Hooking Network Requests: The JavaScript injected itself into the browser’s network request pipeline. This allowed it to intercept and examine outgoing network traffic originating from the web page.
4. Monitoring for Wallet Addresses: The malware specifically monitored pages for user input related to cryptocurrency wallet addresses. This typically occurs during transactions where users paste or type in recipient wallet addresses.
5. Address Replacement and Exfiltration: Upon detecting a cryptocurrency wallet address, the malware would perform a real-time replacement, substituting the legitimate address with an address controlled by the attacker. Concurrently, it would exfiltrate the original wallet address and any associated metadata to the attacker’s infrastructure.

The scope of the cryptocurrency theft was broad, with the malware targeting addresses for major cryptocurrencies including Bitcoin, Ethereum, Solana, Ripple, and TRON. This coverage encompasses a vast majority of mainstream cryptocurrency transactions, indicating a broad targeting strategy by the threat actor.

Broader Implications and Industry Response

The AppsFlyer incident serves as a stark reminder of the inherent vulnerabilities within software supply chains. The reliance on third-party libraries and SDKs, while offering efficiency and accelerated development, also introduces a single point of failure. A compromise at the source, as in this case, can cascade through numerous downstream applications, impacting end-users who have no direct control over the SDKs their applications utilize.

"While the full scope, duration, and root cause of the incident remain unverified, the activity highlights how threat actors can abuse trust in widely deployed third-party SDKs to impact downstream websites, applications, and end users," Profero stated in their analysis. This sentiment underscores the critical need for robust security practices not only for the direct users of an SDK but also for the organizations that integrate them.

AppsFlyer’s response has been to emphasize containment and resolution. "AppsFlyer detected and contained a domain registrar incident on March 10 that temporarily exposed the AppsFlyer Web SDK running on a segment of customer websites to unauthorized code," a spokesperson stated. They further clarified that the mobile SDK remained unaffected and that their investigation, to date, had not uncovered evidence of customer data being accessed on AppsFlyer systems. The company has assured customers that the issue has been resolved and that direct communication and updates have been provided.

"The mobile SDK has remained safe to use throughout the process, and the web SDK is safe to use," the AppsFlyer spokesperson added. The company indicated that its investigation is ongoing, with the engagement of external forensic experts to fully ascertain the extent of the breach and its root cause. Further information is expected to be released upon the completion of this investigation.

Recommendations for Organizations and Users

In the wake of such incidents, organizations that deploy the AppsFlyer SDK are advised to take proactive measures to secure their environments. These recommendations include:

• Reviewing Telemetry Logs: Scrutinizing logs for any suspicious API requests originating from websdk.appsflyer.com can help identify potential compromises.
• Downgrading SDK Versions: Where feasible, organizations should consider downgrading to known-good, earlier versions of the SDK that were not affected by the malicious code injection.
• Investigating Potential Compromise: A thorough investigation into internal systems and user activity for any signs of unauthorized access or financial loss related to cryptocurrency transactions is crucial.

For end-users, the incident highlights the importance of vigilance when conducting cryptocurrency transactions. While this particular attack targeted the substitution of wallet addresses, users should always double-check recipient addresses before confirming transactions and be wary of any unusual behavior on websites they frequent, especially those that handle financial information.

A Recurring Pattern of Concern

This is not the first time AppsFlyer has been associated with a significant cybersecurity incident this year. Earlier in 2026, the notorious threat group ShinyHunters claimed to have leveraged the AppsFlyer SDK to achieve a supply-chain breach at Match Group. This breach reportedly led to the theft of over 10 million records belonging to users of Hinge, Match.com, and OkCupid. While AppsFlyer’s role in that incident, if any, has not been fully detailed publicly, the recurring association of the SDK with high-profile breaches underscores the ongoing challenges in securing complex software ecosystems.

The AppsFlyer Web SDK incident serves as a critical case study in the evolving threat landscape. It underscores the need for continuous vigilance, robust security protocols, and a deep understanding of the interconnectedness of digital services. As threat actors become more sophisticated, the reliance on third-party components will continue to be a focal point for attacks, necessitating a layered and proactive approach to cybersecurity across the entire digital supply chain.