- A malicious library slipped into SmartTube updates without users noticing anything unusual
- Play Protect warnings led the community to investigate the suspicious build
- The hidden file maintained remote communication channels, alarming users
SmartTube, a widely used YouTube client for Android TV, recently faced a serious compromise after an attacker gained access to the developer’s signing keys.
This breach allowed a malicious update to reach users without any warning, adding a secret native library known as libalphasdk.so [VirusTotal].
Assessment of version 30.51 shows that the hidden library does not appear in the open-source codebase.
Hidden code and unanswered questions
This raised a red flag, since the file ran in the background, registered the device with a remote server, and maintained communication without alerting the user.
The incident surfaced when Play Protect flagged the app and blocked installations, which triggered immediate concerns across the community.
The behavior matched surveillance-style activity and raised concerns about potential misuse.
Yuriy Yuliskov, the developer of SmartTube, confirmed that an attacker had taken his keys and had added harmful code to the app.
This prompted him to revoke the signature and begin work on a clean release, and he described the file as unexpected and suspicious.
“Possibly a malware. This file is not part of my project or any SDK I use. Its presence in the APK is unexpected and suspicious. I recommend caution until its origin is verified,” Yuliskov said on a GitHub thread.
The developer also announced on Telegram that beta and stable test builds were available, but these builds have not yet appeared on the official repository.
Users have not received a clear explanation of how the compromise happened or which versions were affected.
This information gap has caused unease among long-time users who expected a clear postmortem.
Some community members reported that older versions, such as 30.19, did not trigger Play Protect, but the overall safety of specific releases remains uncertain.
Until full clarity emerges, users should stick to older verified builds, avoid signing in with important accounts, and disable automatic updates.
Resetting Google Account passwords and reviewing account activity could help reduce the risk of unauthorized access.
Running occasional antivirus checks can add a layer of reassurance, and if anything looks unusual, users can follow up with targeted malware removal.
Setting stricter firewall rules may also help reduce unwanted connections while waiting for a clean release.
That said, Yuliskov has promised to fix all issues and publish a new version in the F-Droid store, but this incident shows how even trusted open-source projects can become vulnerable when key security controls fail.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
