SmartTube YouTube app for Android TV breached to push malicious update

News

Featured
Latest

GreyNoise launches free scanner to check if you're part of a botnet

The Cyber Monday 2025 Cybersecurity, IT, VPN, & Antivirus Deals

Microsoft to secure Entra ID sign-ins from script injection attacks

New ShadowV2 botnet malware used AWS outage as a test opportunity

SmartTube YouTube app for Android TV breached to push malicious update

Microsoft says new Outlook can't open some Excel attachments

Retail giant Coupang data breach impacts 33.7 million customers

When Hackers Wear Suits: Protecting Your Team from Insider Cyber Threats

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Virus Removal Guides

Latest
Most Viewed
Ransomware

Remove the Theonlinesearch.com Search Redirect

Remove the Smartwebfinder.com Search Redirect

How to remove the PBlock+ adware browser extension

Remove the Toksearches.xyz Search Redirect

Remove Security Tool and SecurityTool (Uninstall Guide)

How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo

How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

How to remove Antivirus 2009 (Uninstall Instructions)

Locky Ransomware Information, Help Guide, and FAQ

CryptoLocker Ransomware Information Guide and FAQ

CryptorBit and HowDecrypt Information Guide and FAQ

CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Startup Database
Uninstall Database
Glossary
Chat on Discord
Send us a Tip!
Welcome Guide

HomeNewsSecuritySmartTube YouTube app for Android TV breached to push malicious update

SmartTube YouTube app for Android TV breached to push malicious update

By Bill Toulas

December 1, 2025
01:56 PM
0

The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, leading to a malicious update being pushed to users.
The compromise became known when multiple users reported that Play Protect, Android's built-in antivirus module, blocked SmartTube on their devices and warned them of a risk.
The developer of SmartTube, Yuriy Yuliskov, admitted that his digital keys were compromised late last week, leading to the injection of malware into the app.
Yuliskov revoked the old signature and said he would soon publish a new version with a separate app ID, urging users to move to that one instead.
SmartTube is one of the most widely downloaded third-party YouTube clients for Android TVs, Fire TV sticks, Android TV boxes, and similar devices.
Its popularity stems from the fact that it is free, can block ads, and performs well on underpowered devices.
A user who reverse-engineered the compromised SmartTube version number 30.51 found that it includes a hidden native library named libalphasdk.so [VirusTotal]. This library does not exist in the public source code, so it is being injected into release builds.
"Possibly a malware. This file is not part of my project or any SDK I use. Its presence in the APK is unexpected and suspicious. I recommend caution until its origin is verified," cautioned Yuliskov on a GitHub thread.
The library runs silently in the background without user interaction, fingerprints the host device, registers it with a remote backend, and periodically sends metrics and retrieves configuration via an encrypted communications channel.
All this happens without any visible indication to the user. While there's no evidence of malicious activity such as account theft or participation in DDoS botnets, the risk of enabling such activities at any time is high.
Although the developer announced on Telegram the release of safe beta and stable test builds, they have not reached the project's official GitHub repository yet.
Also, the developer has not provided full details of what exactly happened, which has created trust issues in the community.
Yuliskov promised to address all concerns once the final release of the new app is pushed to the F-Droid store.
Until the developer transparently discloses all points publicly in a detailed post-mortem, users are recommended to stay on older, known-to-be-safe builds, avoid logging in with premium accounts, and turn off auto-updates.
Impacted users are also recommended to reset their Google Account passwords, check their account console for unauthorized access, and remove services they don't recognize.
At this time, it is unclear exactly when the compromise occurred or which versions of SmartTube are safe to use. One user reported that Play Protect doesn't flag version 30.19, so it appears safe.
BleepingComputer has contacted Yuliskov to determine which versions of the SmartTube app were compromised, but a comment hasn't been available yet.

Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Get the guide

Related Articles:
Popular Android-based photo frames download malware on bootMulti-threat Android malware Sturnus steals Signal, WhatsApp messagesGoogle to flag Android apps with excessive battery use on the Play StoreNew LandFall spyware exploited Samsung zero-day via WhatsApp messagesMalicious Android apps on Google Play downloaded 42 million times

Android
APK
Backdoor
Malware
SmartTube
YouTube

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Popular Stories

Leak confirms OpenAI is preparing ads on ChatGPT for public roll out

Microsoft: Windows updates make password login option invisible

Public GitLab repositories exposed more than 17,000 secrets

Sponsor Posts

Overdue a password health-check? Audit your Active Directory for free

Review of Passwork: Affordable Enterprise-Grade Password Manager

Hackers love the holidays! Share FREE Security Awareness Training to keep family & friends cyber-safe!

  Upcoming Webinar

Follow us:

Main Sections

News
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2025 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

The SmartTube YouTube application for Android TV has been compromised, resulting in a malicious update being pushed to users. This incident, disclosed in December 2025, highlights vulnerabilities within the open-source community and the potential for malware injection into popular third-party applications. The breach originated when Yuriy Yuliskov, the developer of SmartTube, reported that his digital signing keys were compromised, allowing an attacker to introduce malicious code into the app. The compromised version, identified as 30.51, contained a hidden native library named libalphasdk.so found within the Android application package (APK). This library, not a part of Yuliskov’s original project or SDK usage, operates silently in the background, fingerprinting the host device, registering it with a remote backend, and periodically sending metrics via an encrypted communication channel. This process occurs without user interaction or visible indications.

While initial reports didn’t reveal evidence of immediate malicious activity such as account theft or participation in Distributed Denial-of-Service (DDoS) botnets, the potential for such actions was significant, emphasizing the inherent risk associated with the unauthorized modification of trusted software. The incident quickly triggered responses within the Android security ecosystem, with Play Protect, Android’s built-in antivirus module, immediately flagging the compromised SmartTube version. This highlights the importance of Play Protect’s real-time detection capabilities.

Following the discovery, Yuliskov swiftly revoked the old signature and promised a new version with a distinct app ID, urging users to migrate to this updated release. However, a lack of comprehensive transparency surrounding the specific details of the compromise created a degree of distrust within the SmartTube community. The opacity regarding the timing and full scope of the breach exacerbated concerns.

Despite subsequent announcements detailing the release of beta and stable test builds via the F-Droid store, the developer hadn't yet released full post-mortem details, creating an environment of uncertainty. The situation underscores the critical need for developers to maintain open communication and provide thorough explanations regarding security incidents.

Users were advised by BleepingComputer to take preventative measures, including resetting Google Account passwords, checking account consoles for unauthorized access, and removing any unrecognized services. Given the unclear scope of the incident, recommendations involved staying on previously known-to-be-safe older builds, avoiding logins with premium accounts and disabling auto-updates. BleepingComputer’s attempts to obtain clarification from Yuliskov regarding the exact versions of SmartTube affected were unsuccessful at the time of reporting. This reluctance to provide detailed information further fueled community uncertainty.

The incident underscores the inherent risks associated with relying on open-source projects within the mobile ecosystem and the importance of robust security practices, including vigilant monitoring by security tools like Play Protect, and immediate transparency from developers during security incidents. The SmartTube case serves as a cautionary tale, emphasizing the requirement for dependable communication and proactive risk management within the open-source development landscape.