The Android TV scene is facing a major security problem after SmartTube, a widely used third-party YouTube client, was found to contain malware in its official builds. Researchers in the community discovered the issue and Google moved to disable the app on affected devices.
Users began to see alerts when Google Play Protect flagged SmartTube as unsafe. The system moved the app into a disabled state and showed the message “Your device is at risk,” preventing users from turning the app back on.
Investigators traced the breach to exposed developer signing keys. Security researcher Yuriy L identified that his digital signature had been leaked, which let attackers add malicious libraries to official releases. The tainted builds were spread via GitHub release files and in-app update channels.
After the discovery, the developer revoked the compromised signing key and said they will switch to a new key. Despite that step, multiple app versions had already been affected and the infection had spread widely.
Forensic work on the infected APKs showed a hidden and advanced implant inside native libraries. The implant was designed to run quietly on devices and was included in the official packages, which made the attack harder to spot.
The incident highlights how stolen developer credentials can turn legitimate update paths into a source of malware. It also shows the limits of relying on signed releases when signing keys are exposed.
Google’s action to disable the app has stopped further installs from those releases, but users are advised to remove any affected SmartTube installations and to watch for official notices from the developer and from Google about safe recovery steps.
Leave a comment