[BUG]: virus

[ORCA058]

Checklist

• [x] I made sure that there are no existing issues - open or closed - which I could contribute my information to.
• [x] I have read the FAQ and my problem isn't listed.
• [x] I have taken the time to fill in all the required details. I understand that the bug report will be dismissed otherwise.
• [x] This issue contains only one bug.

Affected version

during its latest installation

Device Type

Smart TV/Box

Affected Android

ANDROID

Steps to reproduce the bug

Kaspersky antivirus blocked it and wouldn't let me reinstall it. It said it was a phishing program!

Actual behavior

No response

Additional information

No response

[brandonm]

See Important Announcement under Releases

[R2R29]

AV virus is one of the worst apps you can install on Android. It doesn't help in any way!

[ORCA058]

Thank you! I have since downloaded the SmartTube app again. Now the installation is successful. The Hungarian translation is not working yet, but it has been like this before.

[ohmichael]

not a virus - Google and other programs have a bug up their butts - they're flagging anything that helps people as malware - just go into your settings and override it if possible.

[Bec-de-Xorbin]

not a virus - Google and other programs have a bug up their butts - they're flagging anything that helps people as malware - just go into your settings and override it if possible.

No. There actually was an unwanted library called libalphasdk.so on several official versions. How severe that library really is is still somewhat unclear.

[ohmichael]

not a virus - Google and other programs have a bug up their butts - they're flagging anything that helps people as malware - just go into your settings and override it if possible.

No. There actually was an unwanted library called libalphasdk.so on several official versions. How severe that library really is is still somewhat unclear.

Wasn't aware but most programs like Google do block and remove piracy related apps for no good reason because they are evil.

Thought the problem was related.

[m4teh]

Thought the problem was related.

No.

https://www.bleepingcomputer.com/news/security/smarttube-youtube-app-for-android-tv-breached-to-push-malicious-update/

[ohmichael]

Thought the problem was related.

No.

https://www.bleepingcomputer.com/news/security/smarttube-youtube-app-for-android-tv-breached-to-push-malicious-update/

oh my bad - wasn't aware of this - ignore my comments then.

[R2R29]

There are some questions now:

How it happened? I already read on Reddit (not saying that it's true or not) that it was Yuliskov's pc that got infected so, if it's true, it raises a lot of questions about that situation:

• It was is personal pc? And if yes, how can he develop the app on a pc that he uses for everything else?
• I'm not a dev, but Github doesn't have any tool to develop apps on a secure environment?

"Impacted users are also recommended to reset their Google Account passwords"

So, we now have to change all our passwords, even if we use 2FA??? If so, fuc...

"BleepingComputer has contacted Yuliskov to determine which versions of the SmartTube app were compromised, but a comment hasn't been available yet."

Not trying to crucify Yuliskov, but I think he already should have released a full statement about what happened, how, and if we really need to change our Google password or not.

Also, I'm now using the latest beta version that he shared here, supposedly with the new signature, but if I try to manually check for updates, nothing happens; it doesn't even "say" that there's no updates available.

[m4teh]

His PC becoming infected would be the obvious and logical mechanism. You can't really just get your keys exposed many other ways.

I've factory reset my Fire TV and will be staying far away from reinstalling this app until the dust has settled.

It'd probably be wise to reset any password associated or linked to your TV in any way. Including manually delinking/deauthorising the prior TV connection from your apps.

Edit: and if malware was installed on the TV, there is risk to every device on your network. Hopefully people are using VLANs and isolation to minimise potential damage.

[R2R29]

His PC becoming infected would be the obvious and logical mechanism. You can't really just get your keys exposed many other ways.

I've factory reset my Fire TV and will be staying far away from reinstalling this app until the dust has settled.

It'd probably be wise to reset any password associated or linked to your TV in any way. Including manually delinking/deauthorising the prior TV connection from your apps.

Edit: and if malware was installed on the TV, there is risk to every device on your network. Hopefully people are using VLANs and isolation to minimise potential damage.

Like I said, I'm not a developer but it seems to me that using a pc that is used for everything else, was not smart at all. And with that, he made X (hundreds, thousands?) number of people at risk. Didn't expected something so noob from him.

In my case, Android/Play Store didn't flag nor removed the infected version. When I became aware of this situation, I uninstalled the app, made a factory reset to the box (for other reasons), installed the new beta version that Yuliskov recommended, and authorized again the access to my account (yes, i should have gone with the common sense of not installing it nor authorize it to access my Google account).

I really don't know what he's waiting for to give us a proper, and detailed explanation.

At this point, i don't know what to do:

• Trust in the new beta?
• Uninstall it, going to the hassle of changing Google password (don't know if I have to create a new 2FA and Passkeys), then login again on every devices, and use the (shitty) official YT app;
• Forget Smarttube forever (it wouldn't be an extreme decision since this situation seems to be a really mess and hard to forget) and maybe start using one that I already saw several reddit users mentioning: Tizentube Cobalt.

[ohmichael]

I have 2FA enabled on all my stuff even Google and YouTube stuff - I asked around and I'm taking my chances with just that option/feature which I've had enabled for years now - worse case scenario I'll be notified about someone trying to break in and I'll change the password then. Anyone who plans to wipe out their tv box and start over good luck but I'm not going mad nuts over this and it would be a waste of energy to start over for me over just one app especially when we know so little about what's going on. I deleted the app also and installed the new one. I think I'm okay. If not guess I'm screwed.

[rvk01]

Also, I'm now using the latest beta version that he shared here, supposedly with the new signature, but if I try to manually check for updates, nothing happens; it doesn't even "say" that there's no updates available.

That could be due to the bug that toast messages are not shown on all devices (and that message usually comes through a toast message).

[EdmundGerber]

Had anyone used wireshark, or similar, to see if there is unsolicited traffic happening in/out of our devices, due to Smarttube? I could be wrong, but I've not read any evidence of any virus-like activity. Everything seems to be based on the appearance of a library module which may or may not be nefarious.

If you guys are wound up waiting for an explanation, remember the dev is in Ukraine, and is likely going through a tough time. Some of the stuff posted lately makes my blood boil - Yuriy works his ass off for this app, and at the first sign of trouble, some of you turned on him. Uninstall and go back to youtube.

[R2R29]

Had anyone used wireshark, or similar, to see if there is unsolicited traffic happening in/out of our devices, due to Smarttube? I could be wrong, but I've not read any evidence of any virus-like activity. Everything seems to be based on the appearance of a library module which may or may not be nefarious.

If you guys are wound up waiting for an explanation, remember the dev is in Ukraine, and is likely going through a tough time. Some of the stuff posted lately makes my blood boil - Yuriy works his ass off for this app, and at the first sign of trouble, some of you turned on him. Uninstall and go back to youtube.

I'm really sorry for Ukraine/Ukrainians but the fact that he is Ukrainian, doesn't mean he's there. Also, and according to him:

"My current priority is preparing the final release and pushing it to F-Droid"

https://github.com/yuliskov/SmartTube/issues/5142#issuecomment-3591868600

He's priority should be clarifying his users of:

• What really happened;
• How it happened (he was developing the app on his everyday pc???)
• Which data from users could have been compromised;
• If users should go through the hassle of changing their Google password and login back on all the devices/apps

not "preparing the final release and pushing it to F-Droid"!

[rodalpho]

I don't necessarily care so much how he got hacked, and it's perfectly fine to develop apps on your main PC. He isn't working for a giant corporation here.

I agree that the priority should be explaining the impact of the hack to users in technical detail. If we downloaded the compromised version, what should we do? What should we be concerned about? What did bad actors actually get; tightly-scoped OAUTH privs to YouTube, and an app-specific directory on google drive? Should we change passwords, log-out of all our devices, what?

Given the lack of any information I did all the above, changed all passwords and logged-out everywhere, including from androidTV, not just the smarttube app. But it would have been nice to know if it was actually necessary.

[passee]

Which versions are even affected? Cant find any info about that

[cyraid]

But how could PC malware infect an android build? Unless his development machine is running android and he somehow has dev tools for Android on Android which I highly doubt, how could that virus on windows meant for windows create a .so that is for arm-64 architecture android that got included, with a virus that infected his host PC which is probably windows?

Something doesn't add up. Because that .so (shared object) file doesn't run on windows. It said his key also got compromised, it's either someone is lying or there is a deliberate attack.

If it's a deliberate attack, won't the attacker just try again? Did the .so file already install a payload on our device (TV or android). Could be worse than what dev is making it sound.

[cyraid]

Another possibility is that the developer included it on purpose (I'm sorry, I have to cover the options until we know exactly what happened). Because how else could an android .so end up in the APK bundle unless a specific malware targetted his specific development directory to include the native .so, and inject.. but you also have to load the library too from code, you can't just have it magically run on it's own.

Dev got some real explaining to do. I'm also an android developer, so please @yuliskov , do go in detail for me (and others).

[R2R29]

Another possibility is that the developer included it on purpose (I'm sorry, I have to cover the options until we know exactly what happened). Because how else could an android .so end up in the APK bundle unless a specific malware targetted his specific development directory to include the native .so, and inject.. but you also have to load the library too from code, you can't just have it magically run on it's own.

Dev got some real explaining to do. I'm also an android developer, so please @yuliskov , do go in detail for me (and others).

I really don't understand why he hasn't done it yet.

[m4teh]

But how could PC malware infect an android build?

Uhhh. If you compromise a workstation, everything within that workstation is equally compromised. I thought that would be pretty obvious?

[cyraid]

Uhhh. It you compromise a workstation, everything within that workstation is equally compromised. I thought that would be pretty obvious?

@m4teh did you not read my posts? If you "infect every file" let's say you try to infect runnable code on a Windows executable, it runs on x86 instructions yes? That's the cpu architecture.. so in order to run payloads you have to include x86 code. So how is it then that those infected files with x86 code magically turn to arm-64 code that somehow connects magically changed it's "magical gender" and now runs on Android, connecting to other shared libraries on Android. Different operating system my dude. Different cpu architecture. Anyone else need a tech lesson?

[m4teh]

A initial Windows exploitation (for example) has nothing to do with what they choose to exploit later on. Once they have access to keys from a compromised workstation, they can simply choose to compromise any project the developer may be working on within the PC. Architecture has nothing to do with it. I'm not sure why this basic concept is so difficult for you to grasp.

[cyraid]

@m4teh are you saying he got infected with specific software somehow, then the attackers built code that specifically for his development environment, changed the files to include the library, and uploaded using his own machine?

Then why would the attackers need to compromise the key? They could just upload as him. So that theory kinda falls apart.

The other thing is, when the developer does commits, you have to actively commit the file. But I'd have to review the file getting used in the history of commits.

Because how else would the file then get included in apk builds on GitHub?

[m4teh]

Ask the developer, not me. I'm just simply telling you — if the workstation gets compromised, you need to consider everything contained within it as potentially compromised. Because..... the bad actors have access to everything within it....

[immanuelfodor]

I don't think there is a need for advanced conspiracy theories here. What probably happened is a Windows malware was targeting any Android project found on the infected machine, and injecting its library to the dependencies.

[cyraid]

@immanuelfodor just happens to get a windows virus which scans the entire machine looking for any development environments, scans for the relevant code to include the library, puts the library in the correct spot, and adds code to jni it and run it, get included in a git commit, get pushed by the developer (even if he had staged files) and somehow the virus knew to stash those changes, commit it's changes, and push.. while checking to see if it's on a specific git branch etc. etc ... No.. Just no. :)

Edit: Look, I don't mean to be rude, it all smells really fishy. Which is why I'd like a really deep conversation with the dev.

[cyraid]

@m4teh and sorry Matthew, you said "it" before which made me think you were referring to the malware itself, not actual hackers. Been a long rough day, then I get this news, really didn't help.

[m4teh]

https://www.aftvnews.com/smarttubes-official-apk-was-compromised-with-malware-what-you-should-do-if-you-use-it/

[cyraid]

@m4teh one of the comments on that site say:

If the official site was hosting an apk signed by someone else, how did they get access to the official github account to post The infected version? Was the GitHub account hacked too? That’s important information to be leaving out.

I agree. This all smells. If the GitHub account is compromised too, how do we know it's the real developer?