Do you use SmartTube on your Android TV? It may have disappeared from your TV, here’s why that happened.
The issue came to light a few days ago, when users reported that Google Play Protect had disabled the app. It displayed a warning that said “The app is fake. It tries to take over your device or steal your data.” Users could choose an option to keep the app or uninstall it. Yes, it hadn’t disappeared completely, the security system just disabled it to protect you.
(Image courtesy: SmartTube)
But, why now? What happened that triggered Google Play Protect?
According to SmartTube developer, Yuliskov, the digital signature that was used to sign the app has been leaked. Yuliskov warned users that someone could try to release fake versions of the app under their name, i.e. threat actors could upload a fake APK containing malware using that key. While it won’t affect existing versions of apps, it could be misused to distribute malware. To mitigate this problem, the dev has changed the signature to a new one, and this also changes the app’s ID. If you go to SmartTube’s releases on Github, there are no APKs available anymore. It makes sense, they use the old signature.
One user analyzed SmartTube version 30.51, and found that it contained a hidden native library. This library runs when you start the app, and collects “your device model and manufacturer, Android version, your network operator name, whether you are on Wi?Fi or mobile data, your app package name, the app’s internal files path, a unique ID it stores, your local IP it previously saved, and a flag if Firebase is present.” It then sends a registration message to its own servers, with all the above data, silently in the background. Upon further investigation, the user said it could be a botnet, but that they hadn’t found evidence that it stole tokens or executed malicious code. However, the user also said they didn’t inspect the JavaScript code that the remote execution may have injected.
The dev confirmed on Patreon that some versions of the app are infected. AFTVNews says that the Yuliskov told them that the computer used build the APKs for the app was infected by malware. This resulted in the app being injected with malware too. It’s not clear which versions were affected but 30.43 and 30.47 are, and these were also distributed on the popular website APKMirror (not its fault). That’s why Google Play Protect disabled SmartTube, and so did Amazon FireOS. Because these APKs contained malicious code.
A user said that the following versions are among those that are infected: 28.56, 28.58, 28.66, 28.75, 28.78, 29.13, 29.37, 29.62, 29.63, 29.85, 30.27, 30.32, 30.38, 30.40, 30.43, 30.44, 30.45 and 30.51.
Both Martin and I have recommended SmartTube as an alternative for YouTube many times. It’s still the best way to watch videos from the platform without ads for free. If Google Play Protect warned you about the app, we recommend uninstalling that app. Get the new one instead.
Yuliskov said that the computer has been wiped and that new releases of SmartTube are safe to use. You can install the new version by following these instructions. However, the developer has warned users NOT TO download the APK from other sources. Here is the Virustotal page for the latest stable version (v30.56), and one for the latest beta. (v30.56). They are clean.
Yuliskov also said on GitHub that they are working on preparing a new release and pushing it to F-Droid, after which they will release a statement to explain what happened.
This incident has got me wondering about Google’s developer verification policy. If someone manages to steal an app’s signature key, and uses it to spread malware like this, then it’s not a perfect solution like it claimed, is it?
Advertisement
