Earlier this week, the developer of SmartTube, the most popular alternative YouTube app for Android TV and Fire TV devices, announced that the digital signature of their app had been exposed. A new version of the app has been released using the new digital signature. While everyone is encouraged to switch to the new app, SmartTube’s developer shared more information with me about what happened that may cause you to take extra precautions if you’ve recently installed or updated the app.
SmartTube’s developer told me that the computer used to create the APK for the project’s official GitHub page was infected with malware. As a result, some official SmartTube releases were inadvertently released with malware. It’s unclear which version was affected first, but it appears the compromise first occurred earlier this month. SmartTube versions 30.43 and 30.47 of APKMirror are both being flagged as infected by the malware scanner.
It is likely the presence of this malware that has caused Google and Amazon to forcibly uninstall SmartTube on some devices, and not the exposed digital signature as previously suspected. The developer of SmartTube says that the compromised machine has been wiped and that it is confident that both new SmartTube releases and the machines that produce them are malware-free.
All older versions of SmartTube have been removed from the project’s GitHub out of an abundance of caution. Although there is no evidence that the app’s digital signature was actually stolen or used by malicious actors, that has also been discarded and replaced with a new one.
SmartTube version 30.56 is the first release produced by an unrelated machine and with the new digital signature. It can be installed using my downloader app by entering the code
It is unknown what exactly malware that infiltrates the official SmartTube APK files can do. Thankfully, SmartTube is programmed to request only minimal account permissions and does not ask for any login information directly. Even if you’ve given the app access to your Google Drive for backup purposes, your Google account and normal Google Drive files remain outside the scope of the app’s permissions. As far as account access is concerned, it appears that permissions related to control of your YouTube account are the only thing that could easily be exposed to malware.
That said, since so little is known about the malware, you should assume the worst. If you use SmartTube and are concerned about being exposed to this malware, you should factory reset the device that had the app installed, especially if you installed or updated the app in November. It would also be a good idea to audit your Google account permissions and YouTube account activity for anything unusual. Once your devices and account are set up, if you want to reinstall SmartTube, make sure to only install the latest version via the code/link above.
<a href