SmartTube Compromised

Announcement from the dev, in the project GitHub and Patreon:

Friends, it seems that my digital signature has been exposed. This signature protects the app from fake and malicious updates, so there is a risk that someone may try to release counterfeit versions under my name.

To completely eliminate any threats, I’ve decided to stop using the current signature and switch to a new one. Because of this, the app’s identifier will also change. You don’t need to delete the old app (but it will no longer receive updates) — the new one will install as a separate app and will need to be configured again.

Thank you for your understanding and attention to security.[1][2]

---------------

There aren't any new apk releases on GitHub yet. However, concerningly, the SmartTube website (which I won't link directly) still offers undated "Stable" and "Beta" downloads.

It sucks to deal with security breaches as an indie or solo dev, but I'll be waiting for a more detailed postmortem before assessing whether to install a future release... Hopefully one that details new security procedures to guard both the dev's key and the production build environment.

Factory resetting my Shield as a precaution, but nothing sensitive was really on there, and Android's security model did exactly what it was supposed to and limited the damage. When using a third party app like this, it's prudent to use it signed out or else with a purpose specific Google/YouTube account which is connected to nothing else critical.

[1]: https://github.com/yuliskov/SmartTube/releases/tag/notificat...

[2]: https://www.patreon.com/posts/important-144473602

> SmartTube’s developer told me that the computer used to create the APKs for the project’s official GitHub page was compromised by malware. As a result, some official SmartTube releases were unintentionally released with malware.

Seems it's lacking in information about how a malware manages to compromise supposedly signed releases? Do authors not have the production signing keys behind a password or similar, and review 100% of the changes before they deploy stuff?

I swear the more time goes on, the more I'm loosing faith in the entire ecosystem. People running random binaries on the same device they do banking on always surprised me, but now developers manages to get malware on their developer machine and are publishing random binaries to other strangers???

I really hope Google doesn't pick this out (and similar events) as further justification for getting rid of APK-based installation.

It's kind of shocking to me that so many people would download an app like this and sign in using their actual YouTube account.

This will inevitably be used as ammunition against sideloading, but it’s really a lesson in supply chain trust.

When we move away from walled gardens (which I support), the burden of verifying the "chain of custody" shifts to the user. Installing an APK that auto-updates with root/system privileges is essentially giving a single developer the keys to your living room.

We need better intermediate trust models—like reproducible builds signed by a quorum of maintainers—rather than just "trust this GitHub release."

A lot of people installed malware and, to be honest, nothing really happened. They might have had to change their passwords, but it could have been much much worse if Android didn't have good sandboxing.

I hope that Flatpak and similar technologies are adopted more widely on desktop computers. With such security technology existing, giving every application full access to the system is no longer appropriate.

The official announcement is very sparse on details. If the developer doesn't know how his digital signature (and update infrastructure?) was compromised, how does switching to a new signature help? It could get compromised in the exact same way.

> Do not download SmartTube from any app store, APK websites or blogs; these were uploaded by other people and may contain malware or ads. SmartTube is not officially published on any app store. Sadly, the Google PlayStore does not allow ad-free Youtube apps using unofficial APIs.

Maybe should actually switch to releasing via F-Droid.

Happy YouTube Premium customer here

Really hate this "something was found" announcements

Which channel distributed the compromised apk? What is the signature of the payload injected? What is the payload, what does it do?

That's exactly why I didn't want to trust this app with a google account, it's mandatory to use it. SmartTube also requires permission to install applications for it's updater feature so it's also possible if the attack was targeted for the malware to install another app to get persistance.

What can malware in an apk do?

In an article about not downloading malware: "You can use my downloader! It's totally safe, bro!"

Yeah, I'll pass.