- Malicious library slipped into SmartTube updates without users noticing anything unusual
- Play Protect warnings led the community to investigate the suspicious build
- Hidden file maintained remote communication channels, alarming users
SmartTube, a widely used YouTube client for Android TV, recently faced a serious compromise after an attacker gained access to the developer’s signing keys.
This flaw allowed a malicious update to reach users without any warning, adding a secret native library known as libalphasdk.so. [VirusTotal].
Evaluation of version 30.51 shows that the hidden library does not appear in the open source code base.
Hidden code and unanswered questions
This raised a red flag, as the file was running in the background, registering the device with a remote server, and maintaining communication without alerting the user.
The incident surfaced when Play Protect reported the app and blocked installations, which immediately sparked concerns within the community.
This behavior was consistent with surveillance activity and raised concerns about possible misuse.
Yuriy Yuliskov, the developer of SmartTube, confirmed that an attacker took his keys and added harmful code to the application.
This prompted him to revoke the signature and start working on a clean version, and he described the file as unexpected and suspicious.
“Maybe malware. This file is not part of my project or any SDK I use. Its presence in the APK is unexpected and suspicious. I recommend caution until its origin is verified,” Yuliskov said in a GitHub thread.
The developer also announced on Telegram that beta and stable test builds are available, but these builds have not yet appeared on the official repository.
Users have not received a clear explanation of how the compromise occurred or which versions were affected.
This lack of information caused unease among longtime users who expected a clear postmortem.
Some community members have reported that older versions, such as 30.19, do not trigger Play Protect, but the overall security of specific versions remains unclear.
Until full clarity is achieved, users should stick to older verified versions, avoid logging in with important accounts, and disable automatic updates.
Resetting Google account passwords and reviewing account activity could help reduce the risk of unauthorized access.
Running occasional virus checks can add a layer of reassurance, and if anything seems unusual, users can proceed with targeted malware removal.
Setting stricter firewall rules can also help reduce unwanted connections while waiting for a clean release.
That said, Yuliskov promised to fix all the issues and release a new version to the F-Droid store, but this incident shows how even trusted open source projects can become vulnerable when key security controls fail.
Via Computer beeping
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
