SmartTube Compromised

Summary

Earlier this week, the developer of SmartTube, the most popular alternative YouTube app for Android TV and Fire TV devices, announced that his app’s digital signature had been exposed. A new version of the app using a new digital signature has since been released. While everyone is encouraged to switch to the new app, SmartTube’s developer has shared more information with me about what happened that may make you want to take additional precautions if you’ve installed or updated the app recently. SmartTube’s developer told me that the computer used to create the APKs for the project’s official GitHub page was compromised by malware. As a result, some official SmartTube releases were unintentionally released with malware. It’s unclear which version was first affected, but the compromise seems to have first occurred earlier this month. SmartTube versions 30.43 and 30.47 from APKMirror are both being flagged as infected by malware scanners.It is likely the presence of this malware that caused Google and Amazon to forcibly uninstall SmartTube on some devices, not the exposed digital signature as first suspected. SmartTube’s developer says the compromised machine has been wiped and is confident that both the new SmartTube releases and the machine that created them are malware-free.All older versions of SmartTube have been removed from the project’s GitHub in an abundance of caution. While there does not appear to be any evidence that the app’s digital signature was actually stolen or used by malicious actors, that too has been abandoned and replaced with a new one.SmartTube version 30.56 is the first release built by the uncompromised machine and with the new digital signature. It can be installed using my Downloader app by entering code 28544 for the stable release or code 79015 for the beta release. This release does not appear on SmartTube’s release list yet because it contains some known issues that the developer hopes to fix before publishing it there.It remains unkn...