SmartTube YouTube app for Android TV breached to push malicious update

Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Apr 24, 2016
7,714
6
82,083
8,389
54
The Netherlands
Content source
https://www.bleepingcomputer.com/news/security/smarttube-youtube-app-for-android-tv-breached-to-push-malicious-update/
The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, leading to a malicious update being pushed to users.

The compromise became known when multiple users reported that Play Protect, Android's built-in antivirus module, blocked SmartTube on their devices and warned them of a risk.

The developer of SmartTube, Yuriy Yuliskov, admitted that his digital keys were compromised late last week, leading to the injection of malware into the app.

Yuliskov revoked the old signature and said he would soon publish a new version with a separate app ID, urging users to move to that one instead.

SmartTube is one of the most widely downloaded third-party YouTube clients for Android TVs, Fire TV sticks, Android TV boxes, and similar devices.
Click to expand...
www.bleepingcomputer.com

SmartTube YouTube app for Android TV breached to push malicious update

The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, leading to a malicious update being pushed to users.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
Reactions: Sorrento, rashmi, Wrecker4923 and 1 other person
Gandalf_The_Grey said:
www.bleepingcomputer.com

SmartTube YouTube app for Android TV breached to push malicious update

The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, leading to a malicious update being pushed to users.
www.bleepingcomputer.com www.bleepingcomputer.com
Click to expand...
This SmartTube incident is a good reminder of how critical signing keys are – and how messy things get when they’re compromised.

What (reliably) happened
From the info you quoted and the BleepingComputer article:

  • The SmartTube developer’s signing keys were compromised.
  • A malicious update was signed with those keys and pushed out.
  • Google Play Protect started flagging/blocking SmartTube on affected devices.
  • The developer confirmed the key compromise on GitHub and revoked the old signature.
  • A new build with a different app ID and new keys is planned/being released.

No need to speculate here – the dev themselves has acknowledged the breach and revocation.

If you have SmartTube installed right now
To stay on the safe side, I’d treat any existing SmartTube installation as untrusted until you’re sure you’re on the new, re-signed version.

  • Disconnect the device from the network (temporarily).
    Unplug Ethernet or disable Wi‑Fi if you suspect you ran the compromised build.
  • Uninstall SmartTube completely.
    Go to your Android TV / Fire TV / box settings and:
    • Force stop SmartTube
    • Clear data/cache (if option exists)
    • Uninstall the app
  • Run a security scan.
    At minimum:
    • Ensure Google Play Protect is enabled and run a manual scan.
    • Optionally scan with a reputable third-party mobile AV (Bitdefender, ESET, Kaspersky, etc.).
  • Think about what you used that device for.
    If the TV/box was used only for media streaming, risk is lower than on a phone with banking/email, but:
    • If you logged into Google or other sensitive accounts on that device, consider changing those passwords from a clean PC/phone.
    • Check for any unusual account activity.
  • Wait for / move to the new app ID only from the official source.
    When the developer releases the new version:
    • Download it only from the official GitHub releases page or the developer’s official links.
    • Make sure you’re installing the one with the new app ID and new signature – not any “old” SmartTube build floating around mirrors.

Broader lesson: open source ≠ immune to key theft
Even though SmartTube is open source, once a signing key is stolen an attacker can:

  • Ship malicious “updates” that look 100% legitimate to devices.
  • Bypass normal user skepticism because the app is “from the same developer” as far as the OS is concerned.

For users, that means:

  • Be cautious about auto-updating sideloaded apps (especially on devices that handle logins).
  • Pay attention when Play Protect or another AV suddenly starts flagging a previously “clean” app.
  • When something like this happens, uninstall first, investigate later.

What to watch next
  • The SmartTube GitHub issues and releases page for:
    • Exact versions/builds that were malicious/affected.
    • Final instructions from the developer on migration to the new app ID.
  • Any follow-up from BleepingComputer or Android TV security channels.

If you share which version/build of SmartTube you were running and from where you installed it (GitHub, Telegram, a site, etc.), I can help you narrow down whether you’re likely to have received the compromised update and what further steps might be reasonable.
 
  • Like
Reactions: Sorrento
Gandalf_The_Grey said:
www.bleepingcomputer.com

SmartTube YouTube app for Android TV breached to push malicious update

The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, leading to a malicious update being pushed to users.
www.bleepingcomputer.com www.bleepingcomputer.com
Click to expand...
The developer is being shady but we get to that.

The app is a great product I give you that, but it's already built on a premise of "evil".

The author only comes out with the fact that he lost his keys thus be weary of a new version. Yes I understand we are all afraid and reluctant to admit to our failure.

The only antimalware software package that detects the additional code as "malicious" is "Dr.Web" now that should say it all and no further text is necessary. Inside Dr. Web Corporate headquarters (" Muhahahah that was KGB gets for not providing me with threat intelligence!").



1764629052006.png
 
  • Like
  • HaHa
Reactions: Sorrento, rashmi, Wrecker4923 and 2 others
cartaphilus said:
The developer is being shady but we get to that.

The app is a great product I give you that, but it's already built on a premise of "evil".

The author only comes out with the fact that he lost his keys thus be weary of a new version. Yes I understand we are all afraid and reluctant to admit to our failure.

The only antimalware software package that detects the additional code as "malicious" is "Dr.Web" now that should say it all and no further text is necessary. Inside Dr. Web Corporate headquarters (" Muhahahah that was KGB gets for not providing me with threat intelligence!").



View attachment 293399
Click to expand...
Dr Web gets victorious on this!
Haha. We are not the old KGB but we are the modern FSB.
 
  • Like
Reactions: Sorrento, rashmi and Khushal
cartaphilus said:
The developer is being shady but we get to that.

The app is a great product I give you that, but it's already built on a premise of "evil".

The author only comes out with the fact that he lost his keys thus be weary of a new version. Yes I understand we are all afraid and reluctant to admit to our failure.

The only antimalware software package that detects the additional code as "malicious" is "Dr.Web" now that should say it all and no further text is necessary. Inside Dr. Web Corporate headquarters (" Muhahahah that was KGB gets for not providing me with threat intelligence!").



View attachment 293399
Click to expand...
The smartube binaries with this elf component are only detected by Kaspersky (albeit as a risktool) and Dr. Web. Russian intel rules the roost.
 
  • Like
Reactions: Sorrento and rashmi
BleepingComputer has contacted Yuliskov to determine which versions of the SmartTube app were compromised, and he responded with the following:

"Some of the older builds that appeared on GitHub were unintentionally compromised due to malware present on my development machine at the time they were created. As soon as I noticed the issue in late November, I immediately wiped the system and cleaned the environment, including the GitHub repository."

"I became aware of the malware issue around version 30.47, but as users reported lately it started around version 30.43. So, for my understanding the compromised versions are: 30.43-30.47."

"After cleaning the environment, a couple of builds were released using the previous key (prepared on the clean system), but from version 30.55 onward I switched to a new key for full security. The differing hashes for 30.47 Stable v7a are likely the result of attempts to restore that build after cleaning the infected system."

Update 12/2 - Added developer comment and information.
Click to expand...
I occasionally watch TV; I just checked, and SmartTube is on version 30.48 (I've disabled auto-update and manually check for updates). The check for updates shows "Update error: Value NOT of type Java.lang. String cannot be converted to JSONobject."

I'll uninstall SmartTube and reinstall it.

@Bot, wot you say?
 
  • Like
Reactions: Sorrento
rashmi said:
I occasionally watch TV; I just checked, and SmartTube is on version 30.48 (I've disabled auto-update and manually check for updates). The check for updates shows "Update error: Value NOT of type Java.lang. String cannot be converted to JSONobject."

I'll uninstall SmartTube and reinstall it.

@Bot, wot you say?
Click to expand...
Uninstalling and reinstalling is the right call here, especially given the confusion around versions and keys.

Where your version (30.48) fits in
From the dev’s statement:

  • Compromised builds: 30.43–30.47
  • Environment supposedly cleaned around that time
  • New key only from 30.55+

Your 30.48 is technically after the compromised range, but:

  • It was still signed with the old key.
  • The dev’s machine and repo were known to have been compromised.
  • Details are a bit messy and have been changing as the dev investigates.

So from a risk perspective, it’s reasonable to treat 30.48 as not fully trustworthy, even if it might be clean.

About the update error
"Update error: Value NOT of type Java.lang.String cannot be converted to JSONObject"
That looks like the app’s update check parsing a bad/changed response (e.g. server returning something unexpected / invalid JSON), not specifically a “malware sign”. It just means the update mechanism is currently broken or the endpoint is returning something the app can’t parse.

What I’d do in your place

  • Uninstall SmartTube completely (as you plan).
    On your TV/box:
    • Settings → Apps → SmartTube
    • Force stop
    • Clear data/cache (if available)
    • Uninstall
  • Reboot the device.
    Just to clear anything left in memory.
  • Run a scan.
    • Make sure Google Play Protect is enabled and run a manual scan.
    • Optionally install a reputable AV that supports Android TV (e.g. Bitdefender, ESET, Kaspersky, etc.) and do a full scan.
  • Consider your account exposure.
    If this device is basically a media-only box and you just used standard Google sign‑in:
    • Risk is probably limited, but out of caution you could change your Google password and ensure 2FA is on (from a clean PC/phone).
  • If you reinstall, only from the “new key” line.
    If you want SmartTube again:
    • Wait for / choose a build that is explicitly stated by the dev as signed with the new key (30.55+ per their statement, or the new app ID they mentioned).
    • Download only from the official GitHub releases or links the dev themselves provides.
    • Avoid any mirrors / “archived” apks of older versions, even if they’re popular.

Bottom line
Your instinct to uninstall and start fresh is sound. Given the compromised environment and key history, it’s safer to treat anything signed with the old key (including 30.48) as questionable and switch only to the clearly “post-incident” builds from the official source.
 
You must log in or register to reply here.

You may also like...