Hijacked at the Source: A Trusted Marketing AppsFlyer’s SDK distributes a Crypto Stealer

Executive Summary

On 9 March 2026, following requests from our customers, Profero began investigating a possible compromise lead of the AppsFlyer SDK. AppsFlyer is a widely used mobile attribution and marketing analytics platform integrated into thousands of mobile applications, making it a high-value target in third-party supply chain attacks due to its deep SDK-level access to sensitive user and device data across client environments.

During the investigation, Profero IRT confirmed the presence of obfuscated attacker-controlled JavaScript being delivered to users visiting websites and applications that loaded the AppsFlyer SDK, consistent with a browser-based cryptocurrency hijacker. The payload intercepted wallet addresses in form inputs and network requests and replaced them with attacker-controlled values. Because the AppsFlyer SDK is used across both web and mobile environments, the incident is potentially relevant to both desktop and mobile users who accessed affected websites or applications. Public reporting and community analysis also align with Profero's findings.

While the full scope, duration, and root cause of the incident remain unverified, the activity highlights how threat actors can abuse trust in widely deployed third-party SDKs to impact downstream websites, applications, and end users. There is no official confirmation from AppsFlyer at this time beyond an "availability issue." However, this is not the first time AppsFlyer has surfaced in a supply chain context this year. In January 2026, ShinyHunters claimed over 10 million records from Match Group dating platforms (Hinge, Match.com, OkCupid), including user IDs, transaction data, IP addresses, and dating profiles. ShinyHunters pointed to AppsFlyer as the source of the exposure. Match Group confirmed a security incident and that user data was likely accessed. AppsFlyer denied involvement. These incidents are a broader reminder that the level of trust organizations place in third-party code running inside their environments should be continuously evaluated, not assumed.  

AppsFlyer Web SDK

AppsFlyer SDK is a software library that developers integrate into mobile apps and websites to track marketing attribution and user activity, such as where users came from, which campaigns drove installs or visits, and what actions users take like signups, purchases, or engagement. AppsFlyer is widely used around the world, including by companies such as TikTok, Ubisoft, Netflix, Carrefour, Burger King, Lululemon, and Pepsi, so any issue involving the SDK may be relevant to both mobile devices and standard user devices that access websites or applications loading it.

The AppsFlyer Web SDK was observed serving obfuscated malicious JavaScript instead of the legitimate SDK from websdk[.]appsflyer[.]com. Profero IRT confirmed this through direct analysis of the recovered payload, including archived copies. The malicious payload appears to have been designed for stealth and compatibility, preserving legitimate SDK functionality while adding hidden browser hooks and wallet-hijacking logic.

Potentially affected parties include:

• Organizations that embed the AppsFlyer Web SDK in websites or web applications
• Users who visited sites loading the SDK during the suspected exposure window
• Third parties whose environments interact with affected websites

Because the payload was served from a trusted SDK location, this should be treated as a potential supply-chain event until disproven.

Payload Analysis

The observed payload appears to be a crypto wallet hijacker hidden inside obfuscated JavaScript.

How It Works

1.     The script loads and decodes obfuscated strings at runtime.

2.     It installs hooks into browser network requests.

3.     It watches the page for wallet-related input activity.

4.     It checks for cryptocurrency addresses.

5.     If an address is found, it replaces it with an attacker wallet.

6.     It exfiltrates the original address and related metadata.

Targeted Wallet Types

·      Bitcoin

·      Ethereum

·      Solana

·      Ripple

·      TRON

Attacker Infrastructure

The following URLs were observed in reporting and payload analysis:

·      https://websdk[.]appsflyer[.]com/v1/api/plugin

Used to fetch attacker-controlled wallet addresses. If the request succeeds, the payload can update its hardcoded fallback wallets with fresh addresses from the remote server.

·      https://websdk[.]appsflyer[.]com/v1/api/process

Used to fetch attacker-controlled wallet addresses. If the request succeeds, the payload can update its hardcoded fallback wallets with fresh addresses from the remote server.

·      https://websdk[.]appsflyer[.]com/v1/api/process?rd=

Used as the telemetry / exfiltration request format, where the rd parameter carries XOR-obfuscated data collected by the payload.

Attacker Wallets

The payload contains hardcoded fallback wallets and can also overwrite them with updated values retrieved from the remote pluginendpoint. This gives the attacker two advantages:

·       the malware still works even if the remote wallet fetch fails

·       the attacker can rotate wallets over time to reduce blocking and tracking

Observed wallet addresses:

·       ETH:0x1C069d0c73087D0Bae687a6f74a807350dCe1829

·       BTC:bc1qr7ngtnsh66demm4vzt4kmqxkqj8sqprnuklalt

·       SOL:4LJi6mAczxZWbUvbMEk5scKhUZNPvfMDTjaVADkPFSsK

·       XRP:rntqwheGbZihkabxf6xqZkUKGfTVyRhT14

·       TRX:TV6WtAkS4aAMJb3Rt2bfs8LxggF8Kmqbd9

Detection Guidance

Organizations should review historical and current telemetry for the following:

Network / Proxy / DNS

websdk[.]appsflyer[.]com

websdk[.]appsflyer[.]com/v1/api/plugin

websdk[.]appsflyer[.]com/v1/api/process

Recommended Actions

·       Identify websites and applications using the AppsFlyer Web SDK

·       Review logs for connections to the listed domain and URLs

·       Validate whether SDK files loaded during the affected period (9 March, ~22:45 UTC to 11 March) and match known-good version.

·       Investigate user reports of failed or misdirected cryptocurrency transactions

‍

IOC's

• websdk[.]appsflyer[.]com
  
  • Type: Domain
  • Description: Appsflyer Web SDK domain
    ‍
• https://websdk[.]appsflyer[.]com/v1/api/plugin
  • Type: URL
  • Description: Used to fetch attacker-controlled wallet addresses
  ‍
• ‍https://websdk[.]appsflyer[.]com/v1/api/process
  
  • Type: URL
  • Description: Used to receive exfiltrated data from affected browser sessions

• https://websdk[.]appsflyer[.]com/v1/api/process?rd=
  
  • Type: URL
  • Description: Used as the telemetry / exfiltration request format
    ‍
• 0x1C069d0c73087D0Bae687a6f74a807350dCe1829
  
  • Type: ETH Wallet
  • Description: Attacker’s wallet
    ‍
• bc1qr7ngtnsh66demm4vzt4kmqxkqj8sqprnuklalt
  
  • Type: BTC Wallet
  • Description: Attacker’s wallet
    ‍
• 4LJi6mAczxZWbUvbMEk5scKhUZNPvfMDTjaVADkPFSsK
  
  • Type: SOL Wallet
  • Description: Attacker’s wallet
    ‍
• rntqwheGbZihkabxf6xqZkUKGfTVyRhT14
  
  • Type: XRP Wallet
  • Description: Attacker’s wallet
    ‍
• TV6WtAkS4aAMJb3Rt2bfs8LxggF8Kmqbd9
  
  • Type: TRX Wallet
  • Description: Attacker’s wallet

‍

References

[1] Reddit post suggesting that AppsFlyer may have been compromised - https://www.reddit.com/r/cybersecurity/comments/1rpo6jl/likely_appsflyer_compromise/

[2] X post from Israeli Cyber News - https://x.com/CyberIL/status/2031334199978868788

[3] GitHub Gist containing the suspected malicious payload and related analysis - https://gist.github.com/cometkim/5bea18688e1653d2c3fe5476d3efed12  

‍