If they ever do I'll move to whatever box/dongle gives me a better experience than Google Apple and Amazon. Worst case scenario I'll buy a really long HDMI cable and plug it into a laptop.
yah I second a n100, they are pretty good and you can find them cheapish on offerup. try searching n95, n97, n100, n150. any of those are way better, just dont expect to do modern gaming.
SmartTube’s developer told me that the computer used to create the APKs for the project’s official GitHub page was compromised by malware. As a result, some official SmartTube releases were unintentionally released with malware. It’s unclear which version was first affected, but the compromise seems to have first occurred earlier this month. SmartTube versions 30.43 and 30.47 from APKMirror are both being flagged as infected by malware scanners.
Make sure to uninstall these versions and get the new one with the new digital signature on GitHub.
SmartTube version 30.56 is the first release built by the uncompromised machine and with the new digital signature.
It can be installed using Downloader app by entering code 28544 for the stable release or code 79015 for the beta release.
This release does not appear on SmartTube’s release list yet because it contains some known issues that the developer hopes to fix before publishing it there.
Which one is the new version number? Also, if I have a separate email for the smarttv and the YouTube account logged into Smarttube was also using it, should I swap out the account for the whole thing?
The Dev said that it won't be updated anymore. I don't see how the legit version would download or even signpost to a compromised version.
When the new official Dev version is released then it will continue to update with the new safe version but to reiterate the existing version won't update any further.
/releases page doesn't have any even tho the Downloader seems to pull from github. But the article also said there's some issues he still needs to fix so I personally don't have any reason to hurry to get my month old installation updated.
There are links to the new version in the Installation section of the README on the GitHub repo. Those links point to the GitHub repo's releases section, but as the article states, the dev hasn't actually published the new version to the GitHub Releases because it still has some issues. If you install the new version using the links in the README, you're basically volunteering to be testers for a new, somewhat buggy unofficial release.
But it's a similar level of delusional as conservative.
"All media should be free" is basically the mantra of this sub. If it were all free then no one would waste their time making it because they need money to live. But they still crusade against all developers and all media companies and "we must pirate everything!" reigns supreme here. I'm continually down voted for suggesting people support their fav musicians on Bandcamp or buy the $10 indie game.
People have already been trying to log in to my Google account for years from various different locations due to old website data breaches. Guess I can add one more to the list.
Took care of this today. Uninstalled the old versions, signed out of those devices in google, used downloader to download the newly signed stable release and installed, logged in again.
I'm just happy Reddit was all over this...because I wouldn't have known otherwise.
Sorry what do you mean signed out of those devices on Google ? The mail I used on Smarttube does not appear, only the firestick device does (which is where Smarttube is installed)
This is not what is stated on official page, it is stated that signature has leaked which would allow for someone to create unofficial version of apk, that could be malicious. How someone can state that malware infected PC would make malware infected apk is beyond me. Also no one stated that malware infected apk version of SmartTune even exists, so stop panicking.
like how can an already installed app just suddenly be turned in to malware
It can't but..
unless it was the creators doing?
PC used to build the APKs got hit with malware, exposing the signature. During that creation process the malware could infect the APK which then is published on Github and that malware is then installed via updates.
At least that's my pretty basic thinking process on this based on what's written in the article.
[Nek-12] analyzed the libalphasdk.so from SmartTube infected apk version 30.51.
The app shipped with a hidden native library called libalphasdk.so.
When SmartTube starts, it launches this library and sends a registration message to its own servers.
Before sending, it collects and transmits: device model and manufacturer, Android version, your network operator name, whether you are on Wi‑Fi or mobile data, your app package name, the app’s internal files path, a unique ID it stores, your local IP it previously saved, and a flag if Firebase is present.
It keeps a background timer that repeatedly “checks registration” with the server every second.
Another timer runs every minute to measure how much bandwidth the app uses; it stores usage locally and enforces a server-provided bandwidth limit.
The native code contains its own DNS/HTTPS client and hardcoded Google endpoints (drive.google.com, dns.google, www.google.com) suggesting it downloads commands or config from Google infrastructure to hide.
No user prompts or controls: all of this happens silently when the app runs.
What this means for you: your device details and network info were likely uploaded; the app could also pull further instructions from the internet. If you used real accounts on that device, treat it as untrusted, change passwords from a clean device, and uninstall/replace with a known-clean build.
And then later continued in a different comment:
Anyone who suspects they are infected MUST:
DELETE the installed apk asap (no un-disabling it through google play protect)
Reset google account password and other credentials (recommended)
Assume your google account email is now compromised
[Nek-12] did not fully understand from the context of this discussion, but [Nek-12 is] assuming github releases were compromised too? The author (Yuri) mentioned their entire hard drive was affected and required a full wipe. That suggests their machine was compromised in ways not limited to 'signature'. Take care.
There is no evidence I found that the app indeed steals tokens or executes malicious code. Is it a botnet? Yes, you could face ip-based bans/issues connecting to certain services/leakage of email into darknet. But I was not able to confirm that the malicious code leaves the android app sandbox or even steals YouTube tokens. Revoking access and re-granting it fresh should be sufficient. That is, i didn't examine what javascript code is injected remotely into the native library.
There are links in the Installation section of the README on the GitHub repo. (The links on the project website use an URL shortener, but they resolve to the GitHub repo.)
this seems better to me, doesn't seem to have thst annoying playback issue thst smarttube had where the video would stop and go black for a sec before resuming.
I did, but only because I haven't done so in long enough that it was time anyway.
When logging into your YouTube account through SmartTube, you never actually enter your Google account credentials, and you give SmartTube very limited access to your Google account even if you enable remote backups of SmartTube settings to Google Drive. If this incident exposed our Google passwords, then there's a problem with Google's authentication system that's a much larger and more serious issue than the signature of one app being compromised.
I have it on my Firestick. Does this mean my Firestick is compromised too and I should do a factory reset? What about my email, is it safe or do I need to update password?
It is also compromised
On APK pure these versions are infected 28.56 28.58 28.66 28.75 28.78 29.13 29.37 29.62 29.63 29.85 30.27 30.32 30.38 30.40 30.43 30.44 30.45 30.51 ⚠️ Only APKpure downloaded versions 26.11 - 30.52 were checked!
So from everything I read is that if I was using a compromised update it would have been uninstalled from my TV but it wasn't. What I'm worried about is if using Projectivity Launcher would have affected that or not. I already uninstalled SmartTube from my TV (I was using the beta version if that matters) so I can't even see what version I was on but I was always behind on updates since I wouldn't update that often.
If you have Google services installed on your device and have Play Protect enabled in your Google Play settings, it would have detected and disabled the compromised app. The launcher you use doesn't change that. Launchers on Android -- like desktop environments on Linux -- are considered just another app and not really part of the operating system. Google Play Services has its hooks in the operating system itself (unless you're using GrapheneOS to specifically prevent that).
[Nek-12] analyzed the libalphasdk.so from SmartTube infected apk version 30.51.
The app shipped with a hidden native library called libalphasdk.so.
When SmartTube starts, it launches this library and sends a registration message to its own servers.
Before sending, it collects and transmits: device model and manufacturer, Android version, your network operator name, whether you are on Wi‑Fi or mobile data, your app package name, the app’s internal files path, a unique ID it stores, your local IP it previously saved, and a flag if Firebase is present.
It keeps a background timer that repeatedly “checks registration” with the server every second.
Another timer runs every minute to measure how much bandwidth the app uses; it stores usage locally and enforces a server-provided bandwidth limit.
The native code contains its own DNS/HTTPS client and hardcoded Google endpoints (drive.google.com, dns.google, www.google.com) suggesting it downloads commands or config from Google infrastructure to hide.
No user prompts or controls: all of this happens silently when the app runs.
What this means for you: your device details and network info were likely uploaded; the app could also pull further instructions from the internet. If you used real accounts on that device, treat it as untrusted, change passwords from a clean device, and uninstall/replace with a known-clean build.
And then later continued in a different comments:
Anyone who suspects they are infected MUST:
DELETE the installed apk asap (no un-disabling it through google play protect)
Reset google account password and other credentials (recommended)
Assume your google account email is now compromised
I did not fully understand from the context of this discussion, but I'm assuming github releases were compromised too? The author (Yuri) mentioned their entire hard drive was affected and required a full wipe. That suggests their machine was compromised in ways not limited to 'signature'. Take care.
There is no evidence I found that the app indeed steals tokens or executes malicious code. Is it a botnet? Yes, you could face ip-based bans/issues connecting to certain services/leakage of email into darknet. But I was not able to confirm that the malicious code leaves the android app sandbox or even steals YouTube tokens. Revoking access and re-granting it fresh should be sufficient. That is, i didn't examine what javascript code is injected remotely into the native library.
Iam still wondering about the possible attack vectors. Might the attacker have full google email/pw combination? Probably not because the youtube login is indirect, right?
I might have been overzealous and wiped my GTV Streamer. Have the new version running but the link to the ATV Bridge download doesn't work now. Any idea why or a legit source to obtain it?
Issue aside. Can anyone confirm if the trending section of the app works for anyone anymore? It hasn't for me for weeks and I don't know if it's me or everyone?
This is crazy. About 3 or 4 days ago i was using smarttube on my cheap android project. I randomly got a usb debugging message asking for access. I thought maybe it was the company that made my projector (Xgimi) accessing a backdoor built into the software. Now this makes sense. I knew something was fishy because i cannot even access usb debugging because it's not even in the developers setting.
So all the people who angrily shouting at Google fur disabling this app on their devices, you're going to apologise, right? Looks like Google were protecting you.
I still wouldn't want a corporation having automatic control over what content is on my device. Just because one time they did a 'good' thing does not change my fundamental issue with end users not having complete control of their own technology.
Imagine thinking in people in on anonymous social media site would ever apologize for over reacting. It's like asking water to apologize for getting something wet.
Ya’ll deserve it if you’re not willing to figure out how to get uninterrupted family YouTube premium for $2 a month. And would rather install random code from the internet
Apple and Google will use this for the next 500 years in court as reasons to disallow sideloading
If they ever do I'll move to whatever box/dongle gives me a better experience than Google Apple and Amazon. Worst case scenario I'll buy a really long HDMI cable and plug it into a laptop.
At this point just buy a Raspberri pi or similiar mini computer and just throw something on it.
Idk man I tried something like this and it wasn't a great experience. A raspberry pi specifically. It lagged really bad and crashed on me twice.
I think it was running raspbian? (or whatever the default linux distro for pis are) and I was using a wireless keyboard/mouse combo
An n100 minipc is enough I guess, x86 can easily brute force android like nothing
yah I second a n100, they are pretty good and you can find them cheapish on offerup. try searching n95, n97, n100, n150. any of those are way better, just dont expect to do modern gaming.
Yeah just install big picture x86 android and a bluetooth controller then it's a perfect for tv
I'm using a raspberry pi 4 with a custom version of Lineage OS and it works great with the SmartTube app.
https://konstakang.com/devices/rpi4/LineageOS22-ATV/
maybe you tried it a few years ago ? Recent models are way more powerfull
Will be pretty useless because their own stores have such issues too, especially Google
Yes because no Google or Microsoft product has ever been compromised or had security exploits...
Or used pirated materials for financial gain.
Isn't Google technically still allowing it partially
Make sure to uninstall these versions and get the new one with the new digital signature on GitHub.
So if I have 30.48 on a Chromecast device I am all good? Cries in uncertainty
Yep. Compromised.
SmartTube version 30.56 is the first release built by the uncompromised machine and with the new digital signature.
It can be installed using Downloader app by entering code 28544 for the stable release or code 79015 for the beta release.
This release does not appear on SmartTube’s release list yet because it contains some known issues that the developer hopes to fix before publishing it there.
Which one is the new version number? Also, if I have a separate email for the smarttv and the YouTube account logged into Smarttube was also using it, should I swap out the account for the whole thing?
My tv doesn't have any private data, just smarttube and Spotify. Should I worry about using the compromised apk?
Depends on the vulnerability,they might fish for your username and password on other platforms or they might have had access to your home network
If I update using the " update button" on the SmartTube app. Will it also be infected with malware..?
Yes don't update through the app the new one has a new signature completely
Thanx
The Dev said that it won't be updated anymore. I don't see how the legit version would download or even signpost to a compromised version.
When the new official Dev version is released then it will continue to update with the new safe version but to reiterate the existing version won't update any further.
Is the new version available now?
Only with the downloader app, nothing on Github.
EDIT:
Technically true.
/releases page doesn't have any even tho the Downloader seems to pull from github. But the article also said there's some issues he still needs to fix so I personally don't have any reason to hurry to get my month old installation updated.
There are links to the new version in the Installation section of the README on the GitHub repo. Those links point to the GitHub repo's releases section, but as the article states, the dev hasn't actually published the new version to the GitHub Releases because it still has some issues. If you install the new version using the links in the README, you're basically volunteering to be testers for a new, somewhat buggy unofficial release.
Read the article
How dare you suggest such a thing. /s
But people are seriously down voting you for saying this.
The collective IQ of this sub is among the lowest of any major sub on reddit. Mostly children looking for free games and anime.
If they don't want to read the article that answers their question, that's up to them.
Come on. r/conservative has this sub beat by a country mile.
This is most of the post on r/outoftheloop
Lol I said among, not THE lowest.
But it's a similar level of delusional as conservative.
"All media should be free" is basically the mantra of this sub. If it were all free then no one would waste their time making it because they need money to live. But they still crusade against all developers and all media companies and "we must pirate everything!" reigns supreme here. I'm continually down voted for suggesting people support their fav musicians on Bandcamp or buy the $10 indie game.
This is actually such a reasonable take I don’t get why this is downvoted lol
Hivemind/groupthink/whatever you wanna call it. Just proving my point really.
People have already been trying to log in to my Google account for years from various different locations due to old website data breaches. Guess I can add one more to the list.
Took care of this today. Uninstalled the old versions, signed out of those devices in google, used downloader to download the newly signed stable release and installed, logged in again.
I'm just happy Reddit was all over this...because I wouldn't have known otherwise.
Sorry what do you mean signed out of those devices on Google ? The mail I used on Smarttube does not appear, only the firestick device does (which is where Smarttube is installed)
It's an additional security step.
Go to google > manage your google account > devices. It shows you all logged in devices. Log out on your media devices using SmartTV/SmartTube.
Do you have a link or downloader code to the new one?
It's in the OP
I got it thanks
This is not what is stated on official page, it is stated that signature has leaked which would allow for someone to create unofficial version of apk, that could be malicious. How someone can state that malware infected PC would make malware infected apk is beyond me. Also no one stated that malware infected apk version of SmartTune even exists, so stop panicking.
that's what I was thinking, like how can an already installed app just suddenly be turned in to malware unless it was the creators doing?
It can't but..
PC used to build the APKs got hit with malware, exposing the signature. During that creation process the malware could infect the APK which then is published on Github and that malware is then installed via updates.
At least that's my pretty basic thinking process on this based on what's written in the article.
https://github.com/yuliskov/SmartTube/issues/5131#issuecomment-3592348406
And then later continued in a different comment:
fucking hell
This is why I always wear a condom
Fuck hard and raw
Username checks out
Does this apply to the apps on Firesticks?
Yes it does. You must uninstall SmartTube and install the new version with the new signature.
Thank you
Where's the new version? Can't actually download it on Github because there's no apk (which is incredibly stupid).
It is at https://smarttubeapp.github.io/
Yoooo thank you so much broo!!
There are links in the Installation section of the README on the GitHub repo. (The links on the project website use an URL shortener, but they resolve to the GitHub repo.)
Well thanks for the heads up. Uninstalled and reinstalled the latest from them
I just swapped to TizenTube, it's just the regular YouTube UI with Adblock and SponsorBlock, I'll probably stick with it for a while.
I also have TizenBrew on my Samsung TV so it works out I guess.
this seems better to me, doesn't seem to have thst annoying playback issue thst smarttube had where the video would stop and go black for a sec before resuming.
How does TizenTube do with casting? My phone would always unpair from SmartTube so I'd have to repair it with a code every time
Never used casting in my life so I can’t help you there.
Does anyone know if we need to change our Google passwords?
I did, but only because I haven't done so in long enough that it was time anyway.
When logging into your YouTube account through SmartTube, you never actually enter your Google account credentials, and you give SmartTube very limited access to your Google account even if you enable remote backups of SmartTube settings to Google Drive. If this incident exposed our Google passwords, then there's a problem with Google's authentication system that's a much larger and more serious issue than the signature of one app being compromised.
I have it on my Firestick. Does this mean my Firestick is compromised too and I should do a factory reset? What about my email, is it safe or do I need to update password?
thank god i never update it since v.29.63
I’m on 30.19
Me too 30.19. And 30.29 on my second Android TV but that one has been uninstalled automatically. Hopefully these versions were clean.
It is also compromised On APK pure these versions are infected 28.56 28.58 28.66 28.75 28.78 29.13 29.37 29.62 29.63 29.85 30.27 30.32 30.38 30.40 30.43 30.44 30.45 30.51 ⚠️ Only APKpure downloaded versions 26.11 - 30.52 were checked!
https://github.com/yuliskov/SmartTube/issues/5131#issuecomment-3592348406
So from everything I read is that if I was using a compromised update it would have been uninstalled from my TV but it wasn't. What I'm worried about is if using Projectivity Launcher would have affected that or not. I already uninstalled SmartTube from my TV (I was using the beta version if that matters) so I can't even see what version I was on but I was always behind on updates since I wouldn't update that often.
I use Projectivity and it was forcibly removed for me. So you probably didn't have a compromised version.
Thanks for this answer.
If you have Google services installed on your device and have Play Protect enabled in your Google Play settings, it would have detected and disabled the compromised app. The launcher you use doesn't change that. Launchers on Android -- like desktop environments on Linux -- are considered just another app and not really part of the operating system. Google Play Services has its hooks in the operating system itself (unless you're using GrapheneOS to specifically prevent that).
Are people and the developer really recommending factory reset of devices? Are you all doing this?
I have smarttube beta 29.96 am I safe?
Did you find out? I have the same.
Can the settings be exported and imported to the new version?
With the new version 30.56, I am unable to restore my backup from Google Drive. Is anyone else experiencing the same issue?
You need to be getting rid of it not wondering if you have 5 minutes to export stuff from it to your phone.
I don't use it on my phones (Revanced FTW!). Only exclusively on Firesticks.
Only if you have one of the versions mentioned in the article.
Yes
Meh, it'll take you 10 mins to reconfigure worst case.
This is what VLANs are for. Put your TV or Android TV on an isolated VLAN, create a specific Google account for Android TV, and you're all set.
so true, they’ll drag it out forever for sure
I have version 30.19. Is it safe or should I uninstall it ?
A few days ago my smartube uninstalled by it self , was it by google protect?
https://github.com/yuliskov/SmartTube/issues/5131#issuecomment-3592348406
And then later continued in a different comments:
I could see it being Google that did this specifically to discredit them
Any alternatives?
TizenTube Cobal
Any suggestions for a phone based app? This seems to be more designed specifically for a TV interface
ReVanced
RevancedTube
Thanks
Is NewPipe still safe? I'm out of the loop here
This scary.
Iam still wondering about the possible attack vectors. Might the attacker have full google email/pw combination? Probably not because the youtube login is indirect, right?
https://www.reddit.com/r/Piracy/comments/1paklob/smarttubes_official_apk_was_compromised_with/nrngcmo/
Using it right now, haven’t noticed any differences and I have it on 3 devices. What am I missing here?
I don't use my real Google account for mine so I guess I have less to lose at least. Sometimes it pays to be cautious / paranoid about security
Glad to say it didn't take long to take the old one off and bring in the new version
If I’m on 30.04 is it recommend to delete it and reinstall the newest version? Did you guys jump to another app completely?
Version 29.83 is fine? Somehow I never got a newer update on my TV stick
"On APK pure these versions are infected 28.56 28.58 28.66 28.75 28.78 29.13 29.37 29.62 29.63 29.85 30.27 30.32 30.38 30.40 30.43 30.44 30.45 30.51 ⚠️ Only APKpure downloaded versions 26.11 - 30.52 were checked!""
https://github.com/yuliskov/SmartTube/issues/5131#issuecomment-3592348406
Then I guess it's fine lol I did one single update via app the other day
I might have been overzealous and wiped my GTV Streamer. Have the new version running but the link to the ATV Bridge download doesn't work now. Any idea why or a legit source to obtain it?
Issue aside. Can anyone confirm if the trending section of the app works for anyone anymore? It hasn't for me for weeks and I don't know if it's me or everyone?
Just a tip. U have a vpn subscription ? Choose Albania. No ads.
This is crazy. About 3 or 4 days ago i was using smarttube on my cheap android project. I randomly got a usb debugging message asking for access. I thought maybe it was the company that made my projector (Xgimi) accessing a backdoor built into the software. Now this makes sense. I knew something was fishy because i cannot even access usb debugging because it's not even in the developers setting.
So all the people who angrily shouting at Google fur disabling this app on their devices, you're going to apologise, right? Looks like Google were protecting you.
I still wouldn't want a corporation having automatic control over what content is on my device. Just because one time they did a 'good' thing does not change my fundamental issue with end users not having complete control of their own technology.
Imagine thinking in people in on anonymous social media site would ever apologize for over reacting. It's like asking water to apologize for getting something wet.
Ya’ll deserve it if you’re not willing to figure out how to get uninterrupted family YouTube premium for $2 a month. And would rather install random code from the internet
How ?