The popular open-source SmartTube YouTube client for Android TV has been compromised after an attacker gained access to the developer’s signing keys. This resulted in a malicious updates being distributed to users.
The issue came to light when numerous users reported that Google Play Protect abruptly began blocking SmartTube and flagging it as unsafe.
Shortly afterward, developer Yuriy Yuliskov confirmed that his digital signing keys had been stolen late last week, allowing a tampered build to be pushed as an official update. He has since revoked the compromised signature and says a clean version under a new app ID will be released soon. Users are urged to migrate once it becomes available.
SmartTube is a popular third-party YouTube client for Android TV devices, Fire TV sticks, and various TV boxes, known for its ad-blocking features, strong performance on low-end hardware, and completely free distribution.
A user who reverse-engineered the compromised version 30.51 discovered an unexpected native library, libalphasdk.so, embedded in the APK absent from SmartTube’s public source code. Yuliskov warned that the file was not part of his project and called its presence “unexpected and suspicious.”
Analysis shows the library silently fingerprints devices, registers them with a remote backend, and exchanges encrypted data in the background, all without user interaction or visible indicators.
Although Yuliskov announced on Telegram that safe beta and test builds are available, they have yet to appear on the project’s official GitHub repository. The developer says he will provide a full post-mortem once the new, clean app is published on F-Droid.