Top YouTube app for Android TV compromised to serve malware - here's what we know, and how to stay safe

1. Pro
2. Security

Top YouTube app for Android TV compromised to serve malware - here's what we know, and how to stay safe News By Efosa Udinmwen published 4 December 2025

The 'unexpected and suspicious' breach introduced hidden background code to the app

Comments (0) ()

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: SmartTube)

• A malicious library slipped into SmartTube updates without users noticing anything unusual
• Play Protect warnings led the community to investigate the suspicious build
• The hidden file maintained remote communication channels, alarming users

SmartTube, a widely used YouTube client for Android TV, recently faced a serious compromise after an attacker gained access to the developer’s signing keys.

This breach allowed a malicious update to reach users without any warning, adding a secret native library known as libalphasdk.so [VirusTotal].

Assessment of version 30.51 shows that the hidden library does not appear in the open-source codebase.

You may like

• This devious malware has jumped from Meta over to Google Ads and YouTube to spread - here's how to stay safe
• This devious Android malware spoofs WhatsApp, TikTok and more - here's how to stay safe
• Watch out, these malicious Android apps have been downloaded 42 million times - and could leave you seriously out of pocket

Hidden code and unanswered questions

This raised a red flag, since the file ran in the background, registered the device with a remote server, and maintained communication without alerting the user.

The incident surfaced when Play Protect flagged the app and blocked installations, which triggered immediate concerns across the community.

The behavior matched surveillance-style activity and raised concerns about potential misuse.

Yuriy Yuliskov, the developer of SmartTube, confirmed that an attacker had taken his keys and had added harmful code to the app.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

This prompted him to revoke the signature and begin work on a clean release, and he described the file as unexpected and suspicious.

"Possibly a malware. This file is not part of my project or any SDK I use. Its presence in the APK is unexpected and suspicious. I recommend caution until its origin is verified," Yuliskov said on a GitHub thread.

The developer also announced on Telegram that beta and stable test builds were available, but these builds have not yet appeared on the official repository.

You may like

• This devious malware has jumped from Meta over to Google Ads and YouTube to spread - here's how to stay safe
• This devious Android malware spoofs WhatsApp, TikTok and more - here's how to stay safe
• Watch out, these malicious Android apps have been downloaded 42 million times - and could leave you seriously out of pocket

Users have not received a clear explanation of how the compromise happened or which versions were affected.

This information gap has caused unease among long-time users who expected a clear postmortem.

Some community members reported that older versions, such as 30.19, did not trigger Play Protect, but the overall safety of specific releases remains uncertain.

Until full clarity emerges, users should stick to older verified builds, avoid signing in with important accounts, and disable automatic updates.

Resetting Google Account passwords and reviewing account activity could help reduce the risk of unauthorized access.

Running occasional antivirus checks can add a layer of reassurance, and if anything looks unusual, users can follow up with targeted malware removal.

Setting stricter firewall rules may also help reduce unwanted connections while waiting for a clean release.

That said, Yuliskov has promised to fix all issues and publish a new version in the F-Droid store, but this incident shows how even trusted open-source projects can become vulnerable when key security controls fail.

Via Bleeping Computer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS YouTube Efosa UdinmwenFreelance Journalist

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more This devious malware has jumped from Meta over to Google Ads and YouTube to spread - here's how to stay safe    This devious Android malware spoofs WhatsApp, TikTok and more - here's how to stay safe    Watch out, these malicious Android apps have been downloaded 42 million times - and could leave you seriously out of pocket    Android spyware pretends to be Signal or ToTok update to fool victims - here's how to stay safe    Thousands of YouTube videos disguised as cheat codes removed for spreading malware    Even your smart photo frames aren't safe from hackers now - experts flag popular Android product is at risk, so here's how to stay safe    Latest in Security Over 70 US banks and credit unions affected by Marquis ransomware breach - here's what we know    Customer data stolen in Freedom Mobile account management platform hack    This DDoS group just smashed the previous record with a 29.7 Tbps attack    Microsoft quietly patches LNK vulnerability that's been weaponized for years    UK cybercrime agency blocks nearly 1 billion access attempts to malicious websites    North Korean 'fake worker' scheme caught live on camera    Latest in News AWS Graviton5 is its most powerful and efficient CPU to date - and could mean big changes for your key cloud workloads    Roblox, FaceTime become the last targets of Russia's censorship    Marvel Rivals now has a gacha mini-game featuring a limited-time Psylocke bundle – here's how it works    YouTube to lock out under-16s in Australia as controversial social media ban looms    Forget Spotify Wrapped, get back into CDs with FiiO’s gorgeous new portable player    Sony announces partnership with Bad Robot Games to produce and publish a new four-player, co-op shooter from Left 4 Dead director    LATEST ARTICLES

1. 1Top YouTube app for Android TV compromised to serve malware - here's what we know, and how to stay safe
2. 2The godfather speaks - this is the device Linus Torvalds says would be his perfect Linux PC, but you'll never get one
3. 3Newly-discovered $1.5 billion lithium deposit could revolutionize the tech industry - but bad news, it's inside a supervolcano
4. 4Looking to supercharge your Raspberry Pi? This adapter provides two full-sized HDMI ports and a PCIe connector - and it only costs $10
5. 5Warhammer 40,000: Dawn of War 4 gets a new story trailer teasing the playable Dark Angels faction ahead of its 2026 launch