SmartTube YouTube App For Android TV Breached To Push Malicious Update (bleepingcomputer.com)
(Tuesday December 02, 2025 @05:22PM (BeauHD)
from the PSA dept.)
- Reference: 0180267951
- News link: https://news.slashdot.org/story/25/12/02/1924229/smarttube-youtube-app-for-android-tv-breached-to-push-malicious-update
- Source link: https://www.bleepingcomputer.com/news/security/smarttube-youtube-app-for-android-tv-breached-to-push-malicious-update/
An anonymous reader quotes a report from BleepingComputer:
> The popular open-source SmartTube YouTube client for Android TV was [1]compromised after an attacker gained access to the developer's signing keys , leading to a malicious update being pushed to users. The compromise became known when multiple users reported that Play Protect, Android's built-in antivirus module, [2]blocked SmartTube on their devices and warned them of a risk.
>
> The developer of SmartTube, Yuriy Yuliskov, admitted that his digital keys were compromised late last week, leading to the injection of malware into the app. Yuliskov revoked the old signature and said he would soon publish a new version with a separate app ID, urging users to move to that one instead. [...] A user who [3]reverse-engineered the compromised SmartTube version number 30.51 found that it includes a hidden native library named libalphasdk.so [VirusTotal]. This library does not exist in the public source code, so it is being injected into release builds.
>
> [...] The library runs silently in the background without user interaction, fingerprints the host device, registers it with a remote backend, and periodically sends metrics and retrieves configuration via an encrypted communications channel. All this happens without any visible indication to the user. While there's no evidence of malicious activity such as account theft or participation in DDoS botnets, the risk of enabling such activities at any time is high.
[1] https://www.bleepingcomputer.com/news/security/smarttube-youtube-app-for-android-tv-breached-to-push-malicious-update/
[2] https://github.com/yuliskov/SmartTube/issues/5131#issue-3670629826
[3] https://github.com/yuliskov/SmartTube/issues/5131#issuecomment-3592348406
> The popular open-source SmartTube YouTube client for Android TV was [1]compromised after an attacker gained access to the developer's signing keys , leading to a malicious update being pushed to users. The compromise became known when multiple users reported that Play Protect, Android's built-in antivirus module, [2]blocked SmartTube on their devices and warned them of a risk.
>
> The developer of SmartTube, Yuriy Yuliskov, admitted that his digital keys were compromised late last week, leading to the injection of malware into the app. Yuliskov revoked the old signature and said he would soon publish a new version with a separate app ID, urging users to move to that one instead. [...] A user who [3]reverse-engineered the compromised SmartTube version number 30.51 found that it includes a hidden native library named libalphasdk.so [VirusTotal]. This library does not exist in the public source code, so it is being injected into release builds.
>
> [...] The library runs silently in the background without user interaction, fingerprints the host device, registers it with a remote backend, and periodically sends metrics and retrieves configuration via an encrypted communications channel. All this happens without any visible indication to the user. While there's no evidence of malicious activity such as account theft or participation in DDoS botnets, the risk of enabling such activities at any time is high.
[1] https://www.bleepingcomputer.com/news/security/smarttube-youtube-app-for-android-tv-breached-to-push-malicious-update/
[2] https://github.com/yuliskov/SmartTube/issues/5131#issue-3670629826
[3] https://github.com/yuliskov/SmartTube/issues/5131#issuecomment-3592348406
Well (Score:2)
by r1348 ( 2567295 )
fuck.
if the youtube app wasn't enshittified (Score:4, Insightful)
by diffract ( 7165501 )
We wouldn't need these alternatives
Re: (Score:2)
by SlashbotAgent ( 6477336 )
Is there an alternative for Android and iDevices that blocks ads?
Re: (Score:2)
by Mascot ( 120795 )
Hear, hear. On the desktop it can at least be be made somewhat configurable via extensions, but on Android TV we're stuck with the mess YT decides to saddles us with. I just don't get why they don't give us tons of options to customize it to personal preference. Well, I guess I somewhat get it for non-premium, in that their incentive there is to keep people watching in order to generate ad revenue so that's their sole focus (and presumably the annoying choices they make serve that purpose), but for those wi
Lets wait for them to download the malware first (Score:1)
The keys were stolen last week but the developer doesn't bother to tell anyone about it until after the malware has been distributed.
Was he sleeping between last week and today?
Check your outrage (Score:4, Insightful)
I couldn't find any info about the dev discovering the key breach before the attack. The usual order of operations is that someone reports finding malware then the key breach is found during the subsequent investigation.
Re:Lets wait for them to download the malware firs (Score:4, Interesting)
He may not have been aware that the keys were compromised until they were misused. It's not like the keys are a physical object where a person can notice that they've been taken. Most of the people who are performing targeted attacks to gain this kind of access don't go around doing stupid things to alert someone that their machine has been compromised. I even recall an article from a few years ago where it was discovered that a malware program was also acting as an anti-virus to keep other things from infecting the machines and tipping off the users. This isn't the 90's or early 00's where people would immediately deface a website or pull some other crude prank upon gaining access.
Re: Lets wait for them to download the malware fir (Score:2)
I agree, he probably didn't know until it was reported. Then he investigated and found out how/when he was compromised. I doubt he sat on it for a week and waited until someone reported it.... If that way the case, he probably would have worked so quickly to fix things....