The AppsFlyer Web SDK was temporarily hijacked to deliver obfuscated attacker-controlled JavaScript that intercepted and replaced cryptocurrency wallet addresses to divert funds. The compromise, discovered by Profero and likely active between March 9 and March 11, affected web integrations used by thousands of apps while AppsFlyer investigates a domain registrar incident. #AppsFlyer #ShinyHunters
Keypoints
- The AppsFlyer Web SDK served malicious code that substituted user-entered crypto wallet addresses with attacker-controlled addresses.
- The payload targeted Bitcoin, Ethereum, Solana, Ripple, and TRON addresses while exfiltrating original wallet data and metadata.
- Profero discovered the injected JavaScript on March 9, with the likely exposure window from March 9, 22:45 UTC to March 11.
- AppsFlyer confirmed a domain registrar incident on March 10, stated the mobile SDK was unaffected, and said investigations with external forensics are ongoing.
- Organizations using the web SDK should review telemetry for suspicious requests from websdk.appsflyer.com, revert to known-good SDK versions, and investigate potential compromises.