Android TV: YouTube client SmartTube was infected with malware

The YouTube client SmartTube for Android TV was temporarily compromised. Attackers were able to interfere with development, place malicious code in the app, and distribute it to users via an update. The version is now offline and the developer is issuing a statement.

Anyone who has installed the app should uninstall it for security reasons for the time being and wait for the already announced new version.

Background

On GitHub, the developer states in a post that an unknown person had access to their private key for signing the app. Equipped with this, they were able to sign the app infected with malware in the developer's name and thus put it into circulation appearing legitimate.

However, Google's Play Protect security mechanism triggered for some users and blocked the compromised app. One of the affected users then created a bug ticket on GitHub, and other victims quickly joined.

There is already an initial analysis of the malicious code. The code is found in the library libalphasdk.so. At present, the app is using this to send metrics to a server, among other things. However, there are no indications of account data being intercepted or DDoS activities so far. This could change at any time, as the manipulated app can receive instructions from the attackers according to the analyses.

Countermeasures

In the meantime, the developer has also joined the GitHub thread and is clarifying further background information. They state that they have taken the app offline for the time being. On Telegram, they are already distributing a beta version signed with a new key. They have since classified the signature created with the stolen key as invalid.

When development is complete, they will announce further details about the incident, such as how the key was lost. It is currently unclear from which version the malicious code was introduced.

(des)