- A malicious library slipped into SmartTube updates without users noticing anything unusual
- Play Protect alerts prompted the community to investigate the suspicious build
- The hidden file maintained remote communication channels and alerted users
SmartTube, a widely used YouTube client for Android TV, recently faced a serious compromise after an attacker gained access to the developer’s signing keys.
This breach allowed a malicious update to reach users without any warning, adding a secret native library known as libalphasdk.so [VirusTotal].
Evaluation of version 30.51 shows that the hidden library does not appear in the open source codebase.
Hidden code and unanswered questions
This raised a red flag as the file ran in the background, registering the device with a remote server and maintaining communication without alerting the user.
The incident came to light when Play Protect flagged the app and blocked installations, sparking immediate concerns throughout the community.
The behavior matched surveillance-style activity and raised concerns about potential abuse.
Yuriy Yuliskov, the developer of SmartTube, confirmed that an attacker had taken his keys and added malicious code to the app.
This prompted him to revoke the signature and start working on a clean release, describing the file as unexpected and suspicious.
“Possibly a malware. This file is not part of my project or any SDK I use. Its presence in the APK is unexpected and suspicious. I recommend caution until its origin is verified,” Yuliskov said on a GitHub thread.
The developer also announced on Telegram that beta and stable test builds were available, but those builds have yet to appear in the official repository.
Users have not received a clear explanation of how the compromise occurred or which versions were affected.
This information gap has caused unease among long-term users who expected a clear postmortem.
Some community members reported that older versions, such as 30.19, did not trigger Play Protect, but the overall security of specific releases remains uncertain.
Until full clarity emerges, users should stick to older verified builds, avoid logging in with important accounts, and disable automatic updates.
Resetting Google Account passwords and reviewing account activity can help reduce the risk of unauthorized access.
Running occasional antivirus checks can add a layer of security, and if something looks unusual, users can follow up with targeted malware removal.
Setting stricter firewall rules can also help reduce unwanted connections while you wait for a clean release.
That said, Yuliskov has promised to fix all issues and release a new version on the F-Droid store, but this incident shows how even trusted open source projects can become vulnerable when key security controls fail.
Via Bleeding computer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
