02.12.2025
2 min
419
The popular open-source YouTube client for Android TV — SmartTube — was compromised after attackers gained access to the developer’s signing keys. As a result, a fake update was distributed under the guise of an official release — many users received warnings from Google Play Protect that the app was potentially dangerous, and it was blocked on their devices.
The developer confirmed the key compromise and stated that the old version will no longer receive updates — a new version with a fresh digital signature and separate app identifier will be released.
It turned out that the compromised builds were approximately versions 30.43–30.47; builds from 30.55 onward were rebuilt in a clean environment and carry a new valid signature.
While there is no public evidence yet of malicious activity like account theft or DDoS participation, the injected library could quietly collect device fingerprints, send them to a remote server, and potentially be leveraged for harmful activity in the future.
SmartTube is one of the most popular third-party YouTube clients for Android TV because it offered ad-blocking, worked well on low-end devices, and delivered features and settings unavailable in the official YouTube app.
This incident shows how critical it is to protect signing keys — a single compromise can endanger thousands of users and open doors to large-scale attacks.
If you used SmartTube — immediately disable automatic updates, check your version: avoid builds 30.43–30.47. The safest approach is to wait for the new officially signed release or uninstall the app altogether. Do not disable Play Protect and remain cautious with third-party APKs.
