CP
cyberpings
Malware & RansomwareHIGH

AppsFlyer SDK Hijacked to Deploy Crypto-Stealing Malware

BCBleepingComputer
AppsFlyercrypto-stealingsupply-chain attackJavaScriptmalware
🎯

Basically, hackers used a popular tool to steal cryptocurrency by changing wallet addresses on websites.

Quick Summary

What Happened This week, the AppsFlyer Web SDK was hijacked in a serious supply-chain attack. Malicious code was injected into the SDK, which is widely used for marketing analytics by over 15,000 businesses globally. The compromised code was designed to intercept cryptocurrency wallet addresses entered by users on various websites. Instead of sending funds to the intended wallet, the

What Happened

This week, the AppsFlyer Web SDK was hijacked in a serious supply-chain attack. Malicious code was injected into the SDK, which is widely used for marketing analytics by over 15,000 businesses globally. The compromised code was designed to intercept cryptocurrency wallet addresses entered by users on various websites. Instead of sending funds to the intended wallet, the malicious code redirected them to the attackers' wallets.

The attack was discovered by Profero researchers, who found obfuscated JavaScript being delivered through the official AppsFlyer domain. This incident highlights the vulnerabilities that can arise when third-party SDKs are compromised, affecting countless downstream applications and their users. The attack window is believed to have occurred between March 9 and March 11, 2026.

Who's Affected

The impact of this attack is significant, considering the 100,000 mobile and web applications that utilize the AppsFlyer SDK. Users of these applications, especially those involved in cryptocurrency transactions, are at risk. The compromised SDK targeted major cryptocurrencies, including Bitcoin, Ethereum, Solana, Ripple, and TRON. This broad targeting means that a large number of users could potentially have their funds diverted.

AppsFlyer itself has stated that it detected and contained the incident on March 10. However, the full scope of the attack remains uncertain. While they confirmed that no customer data was accessed on their systems, the potential for financial loss among users is a serious concern.

What Data Was Exposed

The malicious JavaScript code was crafted to maintain normal SDK functionality while secretly monitoring for cryptocurrency wallet input. When a user entered their wallet address, the code would replace it with the attacker's address, exfiltrating the original address along with any associated metadata. This means that any cryptocurrency transactions made during the attack could have been compromised.

The incident raises alarms about the security of third-party SDKs, which are often trusted components in many applications. The fact that this attack could occur through a widely used SDK underscores the need for vigilance in monitoring third-party dependencies.

What You Should Do

Organizations using the AppsFlyer SDK should take immediate action. It's crucial to review telemetry logs for any suspicious API requests originating from websdk.appsflyer.com. Downgrading to known-good versions of the SDK may also be necessary. Additionally, companies should investigate any potential compromises and communicate with their users about the risks involved.

AppsFlyer is currently working with external forensic experts to understand the full impact of the incident and has promised to provide updates as the investigation progresses. Users should remain cautious and monitor their cryptocurrency transactions closely during this time.

🔒 Pro insight: Analysis pending for this article.

Original article from

BleepingComputer · Bill Toulas

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Payload Ransomware - Breaches Royal Bahrain Hospital Data

Payload Ransomware claims to have breached Royal Bahrain Hospital, stealing 110 GB of sensitive data. Patients and the healthcare sector are at risk as the group threatens to leak this data if the ransom isn't paid. Urgent action is needed to protect sensitive information.

Security Affairs·
HIGHMalware & Ransomware

Malware - Latest Threats and Research Insights Explained

The latest malware newsletter reveals critical threats like BoryptGrab and A0Backdoor. These sophisticated attacks target users through deceptive methods, making awareness essential. Stay informed to protect your data and systems.

Security Affairs·
HIGHMalware & Ransomware

GlassWorm Campaign Exploits 72 Extensions to Target Developers

A new GlassWorm campaign exploits 72 malicious extensions targeting developers. This sophisticated attack uses seemingly harmless tools to deliver malware. Developers must stay vigilant to protect their systems from these threats.

The Hacker News·
HIGHMalware & Ransomware

Malicious npm Packages Steal Discord and Crypto Data

A sophisticated supply chain attack has emerged, targeting Discord and cryptocurrency wallets. Users of npm packages are at risk of having their sensitive data stolen. Immediate action is required to secure accounts and data.

Cyber Security News·
HIGHMalware & Ransomware

GlassWorm Malware Expands Reach with 72 Malicious Extensions

The GlassWorm malware campaign has escalated, infecting developer environments through 72 malicious Open VSX extensions. Developers using popular tools are at risk, as attackers employ clever tricks to bypass security measures. Immediate action is necessary to protect sensitive data and maintain secure coding practices.

Cyber Security News·
HIGHMalware & Ransomware

SmartApeSG Campaign Deploys Remcos RAT via ClickFix Page

A new campaign is using a fake ClickFix page to spread Remcos RAT. Individuals and organizations are at risk of remote access and data theft. Stay vigilant and protect your systems from this growing threat.

SANS ISC Full Text·