The developer behind SmartTube, a popular ad-free YouTube client for Android TV, has confirmed that the app’s signing key was compromised, prompting the urgent release of a new version under a different digital signature.
The compromise led to malicious APKs being distributed, including through official update channels, prompting Google Play Protect to disable the app on user devices and raising widespread alarm in the user community.
The situation came to light late last week when Yuriy Yuliskov, the sole maintainer of SmartTube, announced via GitHub and Patreon that his digital signing key had been exposed. This key, which authenticates and secures APK updates, had been used by threat actors to inject malicious code into app packages, effectively weaponizing SmartTube updates against its own user base. Yuliskov advised users not to reinstall the old app and instead wait for a newly signed version, which has since been released under a different app ID.
A user conducted a reverse-engineering analysis of infected APKs, particularly version 30.51, and discovered a native binary named libalphasdk.so. This component was silently collecting sensitive data upon app launch, including device UUIDs, local IP addresses, Android version, manufacturer, model, and network operator name. It also utilized a custom networking stack, hardcoded Google endpoints (e.g., drive.google.com, dns.google), and scheduled periodic data transmissions to a remote server via encrypted DNS and HTTPS.
SmartTube is a widely used third-party YouTube client designed for Android TV platforms like MiBox, Nvidia Shield, and Chromecast with Google TV. It offers a YouTube experience without ads or tracking, and appeals especially to users who seek alternatives to Google’s own applications. Due to its popularity, SmartTube has millions of installs, many of which rely on automatic updates via its built-in updater, a mechanism now confirmed to have delivered infected APKs.
A timeline of infection suggests versions between 28.56 and 30.52 distributed through third-party sites such as APKPure were most affected. VirusTotal scans flagged several of these packages. Infected APKs from GitHub were also confirmed, raising the possibility that Yuliskov’s development environment was fully compromised. The developer himself acknowledged wiping his hard drive entirely to recover from the breach.
Due to the compromised signature, Google Play Protect began disabling SmartTube installations system-wide, triggering alerts such as “Your device is at risk” on Android TV devices. Users were unable to re-enable the app without uninstalling and installing a new version. This behavior was intentional, according to Yuliskov, who halted further updates to prevent users from receiving tainted builds.
Despite the chaos, a new release, version 30.56, has been published using a new signing key. This version installs as a separate application due to the changed package name. However, transparency concerns remain. The developer has promised a forthcoming public disclosure explaining how the original key was leaked, when the compromise occurred, and what steps are being taken to prevent similar incidents in the future.
In the absence of that statement, community trust remains shaky. Some users have already called the developer to provide hashes of clean builds, code signing transparency, and verifiable evidence that his GitHub and Patreon accounts remain under his control.
Leave a Reply