Cryptomoneda theft through AppsFlyer's SDK: an intrusion that exposes thousands of sites

This week, a worrying intrusion into the digital supply chain was detected: the AppsFlyer SDK Web, a library that many pages and applications load to measure marketing campaigns, was serving malicious code capable of stealing cryptomonedas. The attacker took advantage of the confidence placed in a widely deployed third party to alter billet addresses and divert funds, a technique that turns a simple analytical script into a back door for end users.

AppsFlyer is not a minor tool: according to the company itself, its platform is used by 15,000 companies and over 100,000 mobile and web applications, which multiplies the possibility of impact when such a dependence is compromised. Corporate information on AppsFlyer is available on your official page. AppsFlyer - About.

The intrusion was reported by Profer researchers, who identified JavaScript opuscado delivered from the official domain of the SDK web. Its analysis, published on the company's blog, shows that the malicious code was designed to pass unnoticed: it keeps the SDK functionality visible for the page but, in the background, it disfigures ostrucated chains and is hooked to the browser's network requests. You can read the full research in Profer's report: Hijacked at the source - Profera.

The scam mechanism is direct and effective: the script monitors forms and entries where users usually paste or write directions of cryptomoneda wallet; by detecting a valid address, it is replaced by a one controlled by the attacker and simultaneously sends the original address and metadata associated with remote servers. In this way, a transfer that you think you authorize to your actual recipient can end up in an attacker's account without the victim noticing it until the block chain is checked..

The types of addresses that the code was looking for include the most used in the market: Bitcoin, Ethereum, Solana, Ripple and TON, thus covering much of the daily transactions in cryptomonedas. This reinforces the idea that the target was not an isolated user but large-scale deception through a shared infrastructure.

Profero estimates an initial exposure window between the night of March 9 (22: 45 UTC) and March 11, although the exact scope - how many sites and how many users were affected - is not yet fully verified. Some users and operators began to warn the problem in forums and networks; a thread in r / cybersecurity collected early reports of suspicious behaviour reported by multiple users.

AppsFlyer issued a brief communication on his state page where he attributes what happened to an incident with the domain recorder that, for a short period, allowed the delivery of unauthorized code from the SDK domain web. The company notes that the mobile SDK was not affected and that, so far, there is no evidence of access to client data within its systems. The status note is available at: AppsFlyer - Incident status.

Situations such as this highlight the fragility of the software supply chain: third-party units, though necessary, introduce risks that can be spread in cascade. Organizations and developers should address this reality as an integral part of their risk management, adopting good practices in integrity verification, version control and monitoring of outgoing traffic.

As the companies concerned complete their forensic investigations with external assistance, there are practical measures that should be considered immediately. Review telemetry records to detect unusual requests to websdk.appsflyer.com, restore prior and verified versions of the SDK, and audit any script loaded from third-party domains are reasonable steps. In addition, it is prudent to notify users who have made transfers on the dates of the possible exposure to review their operations in the block chain and, if appropriate, to contact the support services of the cryptographic platforms involved.

For those who move or manage cryptomonedas, this threat puts in value simple but effective practices: manually check the addresses before gluing, prefer methods that avoid direct editing of the clipboard (QR codes, URI signed on hardware wallets), and maintain software and browser extensions daily. It is also appropriate to report on specific risks in libraries and SDKs by consulting security resources in the supply chain, such as the materials of the software security community: OWASP - Supply Chain Security.

This is not the first time that an AppsFlyer unit has appeared in the focus of larger incidents, and recurrence causes many security teams to review more carefully any third-party integration. Meanwhile, researchers and some media have followed up on the case and AppsFlyer is expected to publish more details when his forensic investigation is completed and can share verifiable results.

In short, this episode recalls that security is not just the responsibility of the service provider concerned: when you trust components distributed in hundreds of sites, the responsibility is shared between suppliers, integrators and those who operate the final services. The lesson is clear: to audit dependencies, to monitor unusual behaviors and to have a plan of response to commitments in the supply chain are practices that are no longer optional in an increasingly interconnected ecosystem.