The developer behind SmartTube, a YouTube client for Android TV, announced a significant security breach involving its signing key, which led to the distribution of malicious APKs. The incident affected app installations, prompting Google Play Protect to intervene with disabling actions.
Security Breach and Impact
The breach was detected in SmartTube's version 30.51, which contained malicious binaries capable of collecting sensitive device data, including UUIDs and IP addresses. These were being transmitted to a remote server via encrypted DNS and HTTPS. Critical versions between 28.56 and 30.52 distributed through third-party channels and specific GitHub builds were notably affected.
In response to the breach, Google Play Protect disabled SmartTube installations, showing alerts to users system-wide. This preventive measure required users to uninstall the affected versions to enable reinstallation of safe builds.
New Release and Developer Actions
To mitigate the breach, a new SmartTube version 30.56 has been released with a revised signing key and package name, ensuring it is treated as a separate installation. The developer has taken steps to secure the app's environment and has paused further updates pending complete remediation and transparency about the original breach.
Community requests include clean-build hashes and proof of code-signing authenticity. The developer is preparing a public disclosure to detail the circumstances of the signing key leak and the measures implemented to prevent future occurrences.
User Recommendations and Developer Commitments
Users are advised to refrain from reinstalling previous builds and to await verified safe versions. The developer expressed commitment to transparency and security by introducing clean versions and addressing community concerns about account control and development integrity.
