Hijacked at the Source: AppsFlyer's Trusted Marketing SDK Distributes a Crypto Stealer
Blog

Hijacked at the Source: AppsFlyer's Trusted Marketing SDK Distributes a Crypto Stealer

By
Noy Kahlon
March 11, 2026

Executive Summary

On March 9, 2026, Profero began investigating a suspected compromise of the AppsFlyer SDK following customer requests. AppsFlyer is a mobile attribution and marketing analytics platform integrated into thousands of applications. The investigation confirmed that the SDK delivered obfuscated malicious JavaScript alongside legitimate code — a cryptocurrency wallet hijacker that intercepted addresses and replaced them with attacker-controlled values.

While the full scope remains unverified, the incident demonstrates how threat actors exploit trust in third-party SDKs. AppsFlyer has acknowledged an “availability issue” but provided no official confirmation of the compromise.

AppsFlyer Web SDK Vulnerability

Profero observed the AppsFlyer Web SDK, sourced from websdk[.]appsflyer[.]com, serving obfuscated malicious code. Potentially affected parties include organizations embedding the Web SDK and users visiting affected sites.

Payload Analysis

The malicious payload operated through these mechanisms:

  1. Loads and decodes obfuscated strings at runtime
  2. Installs hooks into browser network requests
  3. Monitors pages for wallet-related input activity
  4. Identifies cryptocurrency addresses
  5. Replaces legitimate addresses with attacker wallets
  6. Exfiltrates original addresses and metadata

Targeted wallet types included: Bitcoin, Ethereum, Solana, Ripple, and TRON.

Attacker Infrastructure

Profero identified three primary endpoints:

  • websdk[.]appsflyer[.]com/v1/api/plugin — fetches attacker-controlled wallet addresses
  • websdk[.]appsflyer[.]com/v1/api/process — receives exfiltrated data
  • websdk[.]appsflyer[.]com/v1/api/process?rd= — telemetry/exfiltration endpoint

The payload contained hardcoded fallback wallets that the attacker could update remotely for operational persistence and wallet rotation.

Attacker Wallets

  • ETH: 0x1C069d0c73087D0Bae687a6f74a807350dCe1829
  • BTC: bc1qr7ngtnsh66demm4vzt4kmqxkqj8sqprnuklalt
  • SOL: 4LJi6mAczxZWbUvbMEk5scKhUZNPvfMDTjaVADkPFSsK
  • XRP: rntqwheGbZihkabxf6xqZkUKGfTVyRhT14
  • TRX: TV6WtAkS4aAMJb3Rt2bfs8LxggF8Kmqbd9

Detection Guidance

Organizations should:

  • Identify websites using the AppsFlyer Web SDK
  • Review logs for connections to websdk[.]appsflyer[.]com and associated URLs
  • Validate SDK files loaded between March 9 (~22:45 UTC) and March 11
  • Investigate user reports of failed or misdirected cryptocurrency transactions

IOCs

  • Domains/URLs: websdk[.]appsflyer[.]com and associated API endpoints
  • Wallet Addresses: five cryptocurrency wallets across multiple blockchain networks (listed in Attacker Wallets above)
Written by
Noy Kahlon