The AppsFlyer Net SDK was briefly hijacked this week with malicious code used to steal cryptocurrency in a supply-chain assault.
The payload can intercept cryptocurrency pockets addresses entered on web sites and substitute them with attacker-controlled addresses to divert funds to the risk actor.
For the reason that AppsFlyer SDK is utilized by 1000’s of functions for advertising and marketing analytics (consumer engagement and retention), the impression extends to a big variety of finish customers.
In keeping with AppsFlyer, its SDK platform is utilized by 15,000 companies worldwide for over 100,000 cell and internet functions. It is without doubt one of the main “cell measurement accomplice” (MMP) SDKs used to trace advertising and marketing marketing campaign attribution and in-app occasions.
The suspected compromise was found by Profero researchers, who “confirmed the presence of obfuscated attacker-controlled JavaScript being delivered to customers visiting web sites and functions that loaded the AppsFlyer SDK.”
AppsFlyer has not confirmed any incidents past a area availability difficulty revealed on its standing web page on March 10, 2026.
On March 9, Profero found a malicious payload served by the SDK from its official area, at ‘websdk.appsflyer.com,’ which was additionally reported by a number of customers.
“Whereas the total scope, length, and root explanation for the incident stay unverified, the exercise highlights how risk actors can abuse belief in broadly deployed third-party SDKs to impression downstream web sites, functions, and finish customers,” Profero explains.
The injected JavaScript was designed to protect regular SDK performance, however within the background, it hundreds and decodes obfuscated strings at runtime and hooks into browser community requests.
The malware screens pages for cryptocurrency pockets enter exercise. When it detects a pockets handle, it replaces it with the attacker’s pockets whereas exfiltrating the unique pockets handle and related metadata.
The focused addresses embody Bitcoin, Ethereum, Solana, Ripple, and TRON, masking a big swath of mainstream cryptocurrency transactions.
The researchers counsel that the publicity window is probably going between March 9, 22:45 UTC, and March 11. It’s unclear if the compromise impacted SDK customers past that time.
BleepingComputer has contacted AppsFlyer with questions on Profero’s findings, and a spokesperson confirmed by way of an announcement that unauthorized code was delivered by way of the AppsFlyer SDK:
“AppsFlyer detected and contained a website registrar incident on March 10 that briefly uncovered the AppsFlyer Net SDK operating on a section of buyer web sites to unauthorized code.
“The cell SDK was not affected, and our investigation to this point has not recognized proof that buyer knowledge on AppsFlyer programs was accessed. We take this incident very significantly and have been actively speaking with clients,” AppsFlyer instructed BleepingComputer.
The seller stated that the problem has been resolved and that AppsFlyer clients obtained direct communication and updates in regards to the incident.”
“The cell SDK has remained protected to make use of all through the method, and the net SDK is protected to make use of.” – AppsFlyer spokesperson
The corporate stated that the investigation is ongoing and it’s working with exterior forensic consultants. Extra data will likely be shared after finishing the investigation.
Given the uncertainty about precisely what occurred and the scope of the incident, organizations deploying the SDK ought to evaluation telemetry logs for suspicious API requests from websdk.appsflyer.com, downgrade to known-good variations of the SDK, and examine potential compromise.
AppsFlyer was implicated in a cybersecurity incident once more earlier this yr, when the infamous risk group ShinyHunters claimed that it leveraged the SDK to attain a provide chain breach at Match Group, stealing over 10 million information of Hinge, Match.com, and OkCupid customers.
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
