- A malicious library sneaked into SmartTube updates without users noticing anything unusual
- Play Protect Warnings Led Community to Investigate Suspicious Build
- The hidden file maintained remote communication channels, alarming users
SmartTube, a widely used YouTube client for Android TV, recently faced a serious compromise after an attacker gained access to the developer’s signing keys.
This breach allowed a malicious update to reach users without warning, adding a secret native library known as libalphasdk.so. [VirusTotal].
Evaluation of version 30.51 shows that the hidden library does not appear in the open source codebase.
Hidden code and unanswered questions
This raised a red flag, as the file was running in the background, registering the device with a remote server, and maintaining communication without alerting the user.
The incident arose when Play Protect flagged the app and blocked installations, raising immediate concerns across the community.
The behavior was consistent with surveillance-style activity and raised concerns about potential misuse.
Yuriy Yuliskov, the developer of SmartTube, confirmed that an attacker had taken his keys and added harmful code to the app.
This led him to revoke the signature and start working on a clean version, describing the file as unexpected and suspicious.
“It is possibly malware. This file is not part of my project or any SDK I use. Its presence in the APK is unexpected and suspicious. I recommend caution until its origin is verified,” Yuliskov said in a GitHub thread.
The developer also announced on Telegram that beta and stable test versions were available, but these versions have not yet appeared in the official repository.
Users have not received a clear explanation of how the compromise occurred or which versions were affected.
This information gap has caused concern among long-time users who were hoping for a clear autopsy.
Some community members reported that older versions, such as 30.19, did not enable Play Protect, but the overall security of specific versions remains uncertain.
Until complete clarity emerges, users should stick to older verified versions, avoid logging in with important accounts, and turn off automatic updates.
Resetting Google account passwords and reviewing account activity could help reduce the risk of unauthorized access.
Running occasional antivirus checks can add a layer of peace of mind, and if something seems unusual, users can move on to removing specific malware.
Setting stricter firewall rules can also help reduce unwanted connections while waiting for a clean release.
That said, Yuliskov promised to fix all the issues and release a new version to the F-Droid store, but this incident shows how even trusted open source projects can become vulnerable when key security controls fail.
Through ringing computer
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
