GoKawiilThe AppsFlyer Web SDK was temporarily hijacked this week with malicious code used to steal cryptocurrency in a supply-chain attack.
The payload can intercept cryptocurrency wallet addresses entered on websites and replace them with attacker-controlled addresses to divert funds to the threat actor.
Since the AppsFlyer SDK is used by thousands of applications for marketing analytics (user engagement and retention), the impact extends to a significant number of end users.
According to AppsFlyer, its SDK platform is used by 15,000 businesses worldwide for over 100,000 mobile and web applications. It is one of the leading “mobile measurement partner” (MMP) SDKs used to track marketing campaign attribution and in-app events.
The suspected compromise was discovered by Profero researchers, who "confirmed the presence of obfuscated attacker-controlled JavaScript being delivered to users visiting websites and applications that loaded the AppsFlyer SDK."
AppsFlyer has not confirmed any incidents beyond a domain availability issue published on its status page on March 10, 2026.
On March 9, Profero discovered a malicious payload served by the SDK from its official domain, at ‘websdk.appsflyer.com,’ which was also reported by multiple users.
“While the full scope, duration, and root cause of the incident remain unverified, the activity highlights how threat actors can abuse trust in widely deployed third-party SDKs to impact downstream websites, applications, and end users,” Profero explains.
The injected JavaScript was designed to preserve normal SDK functionality, but in the background, it loads and decodes obfuscated strings at runtime and hooks into browser network requests.
The malware monitors pages for cryptocurrency wallet input activity. When it detects a wallet address, it replaces it with the attacker’s wallet while exfiltrating the original wallet address and associated metadata.
... continue reading