Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
Youtube Android

SmartTube YouTube App For Android TV Breached To Push Malicious Update (bleepingcomputer.com) 17

Posted by BeauHD from the PSA dept.
An anonymous reader quotes a report from BleepingComputer: The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, leading to a malicious update being pushed to users. The compromise became known when multiple users reported that Play Protect, Android's built-in antivirus module, blocked SmartTube on their devices and warned them of a risk.

The developer of SmartTube, Yuriy Yuliskov, admitted that his digital keys were compromised late last week, leading to the injection of malware into the app. Yuliskov revoked the old signature and said he would soon publish a new version with a separate app ID, urging users to move to that one instead. [...] A user who reverse-engineered the compromised SmartTube version number 30.51 found that it includes a hidden native library named libalphasdk.so [VirusTotal]. This library does not exist in the public source code, so it is being injected into release builds.

[...] The library runs silently in the background without user interaction, fingerprints the host device, registers it with a remote backend, and periodically sends metrics and retrieves configuration via an encrypted communications channel. All this happens without any visible indication to the user. While there's no evidence of malicious activity such as account theft or participation in DDoS botnets, the risk of enabling such activities at any time is high.
This discussion has been archived. No new comments can be posted.

SmartTube YouTube App For Android TV Breached To Push Malicious Update More

SmartTube YouTube App For Android TV Breached To Push Malicious Update

Comments Filter:

  • The keys were stolen last week but the developer doesn't bother to tell anyone about it until after the malware has been distributed.

    Was he sleeping between last week and today?

    • Check your outrage (Score:4, Insightful)

      by TurboStar ( 712836 ) on Tuesday December 02, 2025 @03:46PM (#65830899)

      I couldn't find any info about the dev discovering the key breach before the attack. The usual order of operations is that someone reports finding malware then the key breach is found during the subsequent investigation.

      • Re: (Score:3)

        by AmiMoJo ( 196126 )

        The main issue is that he doesn't communicate much. For years people have reported issues on GitHub, he hasn't interacted at all with them, but they get quietly fixed in the next release. That was fine until this happened, and people were scrambling to find malware-free versions, and looking for updates.

        He put out a statement saying he would publish a new version with a new signing key, and at that time explain exactly what happened. So far there has been a beta with the new key, and no other updates, which

    • Re:Lets wait for them to download the malware firs (Score:4, Interesting)

      by alvinrod ( 889928 ) on Tuesday December 02, 2025 @04:07PM (#65830935)
      He may not have been aware that the keys were compromised until they were misused. It's not like the keys are a physical object where a person can notice that they've been taken. Most of the people who are performing targeted attacks to gain this kind of access don't go around doing stupid things to alert someone that their machine has been compromised. I even recall an article from a few years ago where it was discovered that a malware program was also acting as an anti-virus to keep other things from infecting the machines and tipping off the users. This isn't the 90's or early 00's where people would immediately deface a website or pull some other crude prank upon gaining access.
    • I agree, he probably didn't know until it was reported. Then he investigated and found out how/when he was compromised. I doubt he sat on it for a week and waited until someone reported it.... If that way the case, he probably would have worked so quickly to fix things....

  • Well (Score:2)

    by r1348 ( 2567295 )

    fuck.

  • if the youtube app wasn't enshittified (Score:4, Insightful)

    by diffract ( 7165501 ) on Tuesday December 02, 2025 @04:16PM (#65830957)
    We wouldn't need these alternatives

    • Is there an alternative for Android and iDevices that blocks ads?

      • You have Revanced for Android but Apple doesn't allow such things.

        It has some excellent accessibility improvements over stock.

      • On Android I use F-Droid then add the repository for Newpipe. In the cat and mouse game between Google and YouTube players it sometimes stops working, and I have to update stat. I noticed there's also Tubular on F-Droid, no experience with that one, it is derived from Newpipe but claims additional blocking features.

    • Re: (Score:2)

      by Mascot ( 120795 )

      Hear, hear. On the desktop it can at least be be made somewhat configurable via extensions, but on Android TV we're stuck with the mess YT decides to saddles us with. I just don't get why they don't give us tons of options to customize it to personal preference. Well, I guess I somewhat get it for non-premium, in that their incentive there is to keep people watching in order to generate ad revenue so that's their sole focus (and presumably the annoying choices they make serve that purpose), but for those wi

      • Hostile design is often a sign of libido dominandi, not just laziness.

        SmartTube has probably hundreds of settings you can tweak to improve usability and accessibility. The developer clearly has a user-first philosophy.

  • And taking personal viewing info. Starting to like the" dumber than dirt " TV's and appliances w/o being smart or internet connected.

Slashdot Top Deals

Lead me not into temptation... I can find it myself.

Close