The widely used open-source SmartTube app for Android TV was compromised after an attacker gained access to the developer’s signing keys, allowing a malicious update to be delivered to users.
The issue surfaced when many people began receiving warnings from Google Play Protect, which blocked the app and flagged it as unsafe.
Yuriy Yuliskov, the creator of SmartTube, confirmed that his digital signing keys were stolen late last week. This allowed malware to be injected into the app’s official builds. He has since revoked the compromised signature and announced that a new version of SmartTube will be released under a different app ID. Users are being urged to switch to the new version once it becomes available.
SmartTube is one of the most popular third-party YouTube clients for Android TVs, Fire TV sticks, and similar devices. Its popularity comes from being free, lightweight, ad-free, and capable of running smoothly on low-powered hardware. The security incident has therefore raised serious concerns within its large user community.
A user who reverse-engineered the compromised version 30.51 discovered a hidden library named libalphasdk.so, which does not appear in SmartTube’s public source code. Yuliskov confirmed that the file was not part of the official project and warned users to be cautious until the situation is fully understood. The injected library silently collects device fingerprints, registers the device with a remote server, and sends periodic metrics over an encrypted connection. While no harmful actions such as account theft or DDoS activity have been observed, the capability to perform them exists.
Although the developer has posted announcements on Telegram about safe beta and test builds, these files have not yet appeared on the app’s official GitHub repository. The lack of detailed information about what happened has created distrust among users, who are urging Yuliskov to release a full post-mortem explaining the breach and its impact.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
