SmartTube Hack: Android TV App Compromised with Spyware via Stolen Signing Key
One of the most popular unofficial YouTube clients for Android TV has been compromised — a malicious build infiltrated the SmartTube application, signed with the developer’s stolen keys. The incident has raised serious concerns about the security of alternative video-viewing apps and whether they can be trusted after such a breach.
The problem surfaced when users began reporting that Android’s built-in Play Protect was blocking SmartTube and issuing warnings about potential risk. The project’s developer, Yuri Liskov, confirmed that his signing keys were compromised last week, which allowed an attacker to embed malicious code into the distributed APK.
The old certificate has already been revoked, and the developer is preparing a new release with a different application identifier, urging users to migrate. SmartTube is widely used on televisions and set-top boxes running Android — including Android TV, Fire TV, and various TV boxes — largely because it provides free access, blocks ads, and performs better on low-power devices.
One user who dissected the compromised SmartTube version 30.51 discovered a hidden native library, libalphasdk.so, which is absent from the project’s open-source codebase. This strongly suggests that the component was injected during the build process. According to Liskov, the file is unrelated to his project and is not part of any SDK the application uses, making its appearance in the distribution both unexpected and deeply suspicious.
The unknown library runs silently, gathers information about the device’s hardware and software configuration, registers the device with a remote server, periodically transmits telemetry, and receives configuration updates via an encrypted communication channel.
There are no visual indicators of this activity. Although no confirmed cases of account theft, DDoS involvement, or other overtly malicious behaviour have been identified so far, the mere possibility that such capabilities could be activated at any moment is considered a serious threat.
Liskov announced in his Telegram channel that safe test builds of SmartTube — both beta and stable — are now available, although these versions have not yet appeared in the project’s official GitHub repository. He has also not provided a detailed technical analysis of the incident, further intensifying distrust within parts of the community. He promised to revisit the issue after the final release of the updated app appears in the F-Droid catalogue.
Until a transparent report is published, users are advised to rely on older, previously verified SmartTube builds, disable automatic updates, and avoid signing into the app with accounts tied to paid YouTube Premium subscriptions. Those who installed version 30.51 are urged to change their Google account password, review activity logs for suspicious access, and revoke permissions for any third-party services they do not recognise.
The exact timeline of the compromise and the list of affected versions remain unknown. It has been noted that Play Protect does not flag SmartTube version 30.19 as dangerous, making it the currently recommended “relatively safe” option. Journalists who reached out to Liskov for clarification on the compromised versions had not received a response by the time of publication. The developer, however, remarked in his Telegram channel that “earlier versions are even less safe.”
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
