TL;DR A new report reveals that SmartTube, the popular YouTube app removed from Android TV and Fire TV devices last week, contained malware after the developer’s build machine was compromised.

Some official app versions released earlier this month were unintentionally distributed with that malware.

A clean, newly signed version of SmartTube is now available for download.

Users who may have installed the malware-infected versions of the app are recommended to reset their devices and take additional steps to review their YouTube and Google account information.

Google Play Protect disabled SmartTube last week after the app’s digital signature was exposed. At the time, it was believed that the signature leak was the primary reason Google and Amazon forcibly removed the app from users’ devices.

However, according to a new report by AFTVnews, it looks like the situation was more serious than initially understood.

Developers of SmartTube, the popular YouTube client for Android TV and Fire TV devices, have now confirmed that the computer used to build official APKs for the app was infected with malware. As a result, some official SmartTube releases were unknowingly distributed with that malware embedded in them.

The developer told AFTVnews that they are still unsure which versions of the app were infected first, but the security compromise is believed to have occurred in early November. Versions 30.43 and 30.47 of the app uploaded to APKMirror have been flagged as malicious by malware scanners. This is probably why Google Play Protect and Amazon disabled the app in the first place.

According to SmartTube, the compromised computer has since been wiped. The developers say the build environment is now clean, and a new app signature is also in place. An updated version of SmartTube with build number 30.56 is now available as the first release created using an uncompromised computer.

Users can download the new malware-free release using the following codes via AFTVnews‘ Downloader app: Stable version: 28544

28544 Beta version: 79015 This version of the app isn’t yet listed on SmartTube’s GitHub because of some remaining bugs that the developers hope to fix before pushing out a public release. All previous versions of the app have been removed from GitHub out of caution.

Should you be worried? It’s still unclear what SmartTube’s embedded malware is capable of doing. Thankfully, the app doesn’t request too many permissions and doesn’t require users to sign in directly with their YouTube or Google credentials. Even if users granted backup access to Google Drive, the malware should not have access to Google account data.

However, permissions related to controls of a YouTube account could be impacted, which is why AFTVnews rightly recommends factory resetting any device where the app was installed, reviewing your Google account permissions and YouTube activity history for any suspicious activity, and reinstalling SmartTube using the new, verified version.

