Announcement from the dev, in the project GitHub and Patreon:
Friends, it seems that my digital signature has been exposed. This signature protects the app from fake and malicious updates, so there is a risk that someone may try to release counterfeit versions under my name.
To completely eliminate any threats, I’ve decided to stop using the current signature and switch to a new one. Because of this, the app’s identifier will also change. You don’t need to delete the old app (but it will no longer receive updates) — the new one will install as a separate app and will need to be configured again.
Thank you for your understanding and attention to security.[1][2]
---------------
There aren't any new apk releases on GitHub yet. However, concerningly, the SmartTube website (which I won't link directly) still offers undated "Stable" and "Beta" downloads.
It sucks to deal with security breaches as an indie or solo dev, but I'll be waiting for a more detailed postmortem before assessing whether to install a future release... Hopefully one that details new security procedures to guard both the dev's key and the production build environment.
Factory resetting my Shield as a precaution, but nothing sensitive was really on there, and Android's security model did exactly what it was supposed to and limited the damage. When using a third party app like this, it's prudent to use it signed out or else with a purpose specific Google/YouTube account which is connected to nothing else critical.
> To completely eliminate any threats, I’ve decided to stop using the current signature and switch to a new one. Because of this, the app’s identifier will also change. You don’t need to delete the old app (but it will no longer receive updates)
I'm curious if this is the best idea? Like, if you don't read all the GitHub releases thoroughly or miss the HN material, and instead you just auto-install updates, you downloaded a malware-infested version which will be on your device until you learn otherwise?
At this point, Play Protect will remove the apks with the old signature because the developer marked the old signature as compromised. The developer acted correctly and responsibly in doing so, and seems to be working out establishing a new setup now, including a new signing key.
For those using sketchy devices without Play Protect and also installing random apks without an understanding of security or Android's trust-on-first-use model, there's not much anyone can do.
I installed 30.56 from the git link on my Shield. It did not overwrite the old one, as it has the old signature. I manually uninstalled 30.48. I did not use the backup/restore option in either as I didnt want to dirty any data in the new app.
> SmartTube’s developer told me that the computer used to create the APKs for the project’s official GitHub page was compromised by malware. As a result, some official SmartTube releases were unintentionally released with malware.
Seems it's lacking in information about how a malware manages to compromise supposedly signed releases? Do authors not have the production signing keys behind a password or similar, and review 100% of the changes before they deploy stuff?
I swear the more time goes on, the more I'm loosing faith in the entire ecosystem. People running random binaries on the same device they do banking on always surprised me, but now developers manages to get malware on their developer machine and are publishing random binaries to other strangers???
the malware need not actively create a release like a worm, it can just infect every build and if you don't check carefully, your next regular release will contain it.
is one of the reason we fight holy wars for SSO and strict login rules even for Dev or QA environments -- if you can get in during a dev build you can get stuff in there that carries through.
maybe QA will find it... but they're testing X number of JIRA tickets based on Y epics and if it's not on the list they're not looking...
Blocking file-based installations was never planned. It's fake news and always has been. It's all about requiring code signing for all code so that malware-spreading authors can be easily blocked by adding their signing key fingerprint to the blocklist.
It doesn't matter whether the app is installed via Play Store, Huawei's or Samsung's store etc., or from APK.
This is a drastic misrepresentation of the situation. All Android apps already have code signing, you cannot install an app unless it has a signature, and any future updates are blocked unless the signature matches. This is how it's been practically since the start of Android, it's part of the security model to prevent something like a malicious Firefox APK stealing your cookies.
What's new is that they were gonna block installations outside of Google Play, unless the developer has signed up for Google Play Console and has gone through a verification process there, whitelisting their signing key fingerprint. However, they've walked back on this and said they'll create a new "advanced flow" for "advanced users" that's "designed to resist coercion" to bypass this restriction. Door in the face technique IMO, the existing 12-step process to installing an app was already complicated enough.
So effectively the result is that file based installations will be blocked unless Google has specifically whitelisted their key through the Google Play Console verification process, or the user goes through this "advanced flow" which we're yet to see any details of
I am currently in process of "verifying" my identity with Android Developer console.
In addition to proof of identity (e.g. passport/driver license) Google is demanding a proof of address, government registration, this month's rental agreement, foreign passport... The process is stuck in limbo because months-old documents are deemed "outdated", and I am constantly threatened that my verification request (!) will be denied because of "exceeding allowed number of attempts" (!!)
It shares the same principle as silent Discord account bans and other "verification" harassment schemes, such as Upwork account verification. The excess developers — Google's potential competitors — need to be banished from platform as quickly and cheaply as possible, so that Google can peddle their own spyware unimpeded.
It's not just cost and ads. It's having the possibility to reduce attempts to manipulate my inner reptile brain. With various clients, you can disable shorts, recommended, you have sponsorblock, you can replace youtube-face-thumbs with actual thumbs and get crowd-sourced titles that better reflect the contents.
I also don't need to manually go set speed to 1.75x and enable subs in english, it's a one-time setting. _Further_ I can download a video locally, for whatever reason (later viewing, bw throttling, risk of deletion, etc).
As if that weren't enough, I don't have to watch videos logged in, my client is just set up to download my select channels.
Same here, we also both have YT Premium and use SmartTube. Our dislike of "Shorts" pushed everywhere in the YT app is what got us to switch to SmartTube. We watch Youtube on our 65" TV via Chromecast, so shorts are just really a crap experience and we do not want to see them at all. SmartTube lets us eliminate them, as well as all the other awesome UI customization makes it a far superior experience.
Is $14 dollars for ad-free, unlimited access to literally billions of videos really a steep price? Personally if I were to get rid of all but one of my media subscriptions I would stick with this one, since it's got everything - entertainment, education, inspiration, you name it.
$14 is two days worth of living in my country for your average man on the street, among many other similar places. Imagine if you had to pay $200 to watch YouTube, that's how much these services cost for us.
They refuse to correct for purchasing power parity and are left with nothing in the end. Steam seems to do very well in comparison.
(I don't watch YouTube even for free, but practically everybody I know does without paying anything, and it makes a lot of sense).
There are a lot of things in this world besides YouTube Premium, which cost $14 or more. That some people in the world are very poor is no kind of argument as to how companies should price their products.
"Purchasing power parity" is a non-concept for almost 100% of companies and products. But YouTube Premium is priced differently in different regions. Sometimes much cheaper than $14.
The person you're responding to is not debating that the companies are setting the wrong prices, so no need to try to convince them that the companies are already setting prices "the right way".
They're explaining for people who don't seem to understand, why people are fine signing in to these kind of 3rd party apps in the first place, because the subscription price ends up being what these people earn in days, not hours.
YouTube is 10x the quality and 10x the quantity than any other video service.
As for the ads, YouTube Premium now has built-in sponsor skip. They can't really block sponsored segments, as that is a freedom of speech issue and also something they can't easily determine. Creators can just omit that some product is sponsored.
> YouTube is 10x the quality and 10x the quantity than any other video service.
I guess you could say YouTube surfaces a larger span of quality, from really shit quality to incredible high quality, which I guess is cool. But since they provide zero tools to actually discover the really high quality, and on top of that decide they know better what I want to watch than me (like the subscriptions page not starting with the last published video), does that really matter?
> as that is a freedom of speech issue
It isn't. Freedom of speech in the US (since Google is based there, and maybe you too?) is about the government placing restrictions, not companies or individuals. As a individual (or company), you're free to limit the speech of anyone who want on your platform, for any reason. You might face public outcry, but it isn't a freedom of speech issue as it's on a private platform in the first place.
They provide all the tools to discover high quality videos and channels. It's called "like and subscribe". If you use those features, it doesn't take long before YouTube shows you only high quality videos. And there's also the dislike button and "Do not recommend this channel again", if you need.
> Freedom of speech in the US...
Freedom of speech is a subject which is much larger than the US constitution. I'm not saying YouTube isn't legally allowed to block sponsored segments. I'm saying that they might not want to because they don't want to limit their creators' speech in that matter. Especially considering how easy it would be to side-step. What would be their reason? They've already made it easy to skip sponsored segments.
Youtube is both 10x and 0.1x the quality, and the official app has no way to filter it. They even removed the feature (downvotes) to let the user filter it.
And the proliferation of AI videoslop is only making the 0.1x side larger and larger
>Creators can just omit that some product is sponsored.
Not true in the US, where the FTC requires (and has required for decades) disclosure by the creator to the viewer whenever a payment has been made to the creator to promote anything. On Youtube, this is typically done by the creator's saying (in the video) "this video is sponsored by Foo Corporation", or, "I wish to thank the sponsor of this video, Foo Corporation".
Personally, I'm unhappy with Premium's built-in sponsor skip. For one thing it becomes available to me only after enough previous viewers have manually skipped over the sponsored segment. For another, it sometime skips ahead too far (probably because the viewers who manually skipped weren't precise in skipping exactly to the end of the sponsored segment). I'd much rather Youtube allowed the uploader to declare (to Youtube) that the upload is free of sponsors (e.g., by checking a box) and then punishing the uploader somehow if he routinely declares falsely. With that information, Youtube could and IMHO should give me the option of telling Youtube somehow (e.g., by checking a box) that I prefer for sponsored videos to be omitted from my recommendations.
Individual Youtube creators in the US most certainly are concerned about the FTC and about this rule specifically because they do not want to find themselves in court explaining to a judge why they shouldn't pay a big fine.
Also, if the creator doesn't follow the rule, the sponsor can be fined by the FTC, so even before the FTC notices the violation, the sponsor will probably notice and refuse to continue the relationship unless the creator's videos comes into compliance with the rule.
Again, this rule has been in effect for decades in the US. Advertisements in the US must be labeled as such. Ditto paid endorsements.
essentially every YouTuber I've watched who discussed their financials said that their sponsorships brought in several times more money than all forms of YouTube money.
which is a very niche slice, and I have no idea how representative it is in aggregate. but sponsorships happen because they pay well enough to annoy every viewer, not just ones that aren't using the better-paying Premium - they generally are not cheap, to say the least.
If you look at Premium, it's about 100x more lucrative than regular views. So I'm pretty sure I'm providing more money to creators than the skipped ads.
To be clear: I completely believe that Premium is a major source for many people. 100%. I just haven't seen many examples of it, outside tubers that have zero sponsorships (because they're small and/or not doing the low-value slightly-shady ones that get spammed everywhere). I'm thrilled that Premium seems to pay relatively well, it's better for everyone to move away from ads where possible.
LTT though is a rather significant outlier in terms of subscribers (16.6 million right now). For truly large channels it's reasonable for the equation to be different.
And the equation for them really is different. They're a company with ~100 employees¹ and YouTube and video sponsorships came out to just 11.6% (ads AND premium) and 9.2% respectively of their multi-person company income. People claiming "SponsorBlock steals from creators" aren't talking about LTT, they're talking about smaller creators for whom YouTube stuff is a majority of their income.
Plus, like. Ads+premium lumped into one. It wouldn't surprise me if premium was lower than sponsorships.
I suspect we're in different niches then or something. If ya don't mind sharing / have links handy, do you have any examples? I'm curious what kind of channel it works well for.
I can try to hunt mine down, but most of the examples I've had were from a couple years ago, and YouTube's history is rather hard to search for stuff like that :| Not high odds of success.
These are niche Russian-language channels (@Varlamov, @Max_Katz). They disclosed their finances to drive up Patreon/Youtube subscriptions because Youtube stopped monetization from Russia.
I've been trying to find public numbers for English-language channels, but wow. So much slop.
* $0.00 plus additional risk that the author of the alternative you are using is compromised, you end up using a malicious version of that alternative, and get pwned.
Obviously for some/many, that trade-off is totally cool. But it needs to be included in the analysis, otherwise you're being dishonest.
Not to mention included YouTube Music. It's one of the few subs I pay for, because I watch a _lot_ of YouTube on the TV. And also like to have it in the background for "Podcast" style videos where the video is really only an accompaniment.
That's actually worse. They used to have a separate YouTube subscription. I don't want (to pay for) YouTube Music, because I already have Apple Music and Tidal, which I prefer.
Also, since Youtube Music is just a skin over Youtube, it's not true that your subscription must necessarily be cheaper if there were no Youtube Music.
I'm the opposite. With YouTube Music, I don't need Apple Music, Spotify, Tidal, or any other service. For me, YouTube Premium is a good deal, and other than Fubo TV it's the only streaming media subscription I have.
Insane hyperbole here, this guy's adblock = risking humanity losing it's 2nd most important platform owned by one of the most profitable companies in the world
OpenAI thought of it first, should YouTube get a government backstop too?
I am dubious about the importance of Youtube. If it disappeared tomorrow how long would it take for most videos to reappear elsewhere? Some of the creators I watch do have the videos available elsewhere. Veritasium is on Odysee, lots of people are on Nebula (and release videos there that are not on Youtube), etc.
I think there is a good argument that having a single dominant platform has been harmful.
Imo, most videos would never be re-uploaded somewhere else. Currently-active creators that choose to keep a backup copy of their videos are probably the minority of creators.
Let’s not get too hasty comparing YouTube to Wikipedia. Maybe what you watch on YouTube is interesting and educational, but let’s not forget it’s also a major platform for misinformation, propaganda, conspiracy theories, radicalisation, scams…
That's extremely subjective, but I'd rather save that $14 a month towards retirement. And if YouTube was only available with ads... well, that's no videos for me, maybe for the better, I would waste less time.
In high school I knew a kid who would go around looting loose change from unlocked cars. He'd pull the driver side door open like it was his car, hop in, loot the center console, then hop out like nothing happened. He wouldn't take valuables (as far as I knew), just change, so maybe a few bucks per car.
His rationale? "Nobody will cry over a few missing quarters and they are free to lock their doors anyway."
The reason it's not stealing is because the cost to the serve content is tiny (spare change) and the sites don't stop you from viewing it with ad-blocker (unlocked doors).
basically, yeah. there's a white fast forward button that appears during frequently fast forwarded sections, which unsurprisingly happens to be sponsor sections.
That's a very generous characterization of what most YouTube content is.
My experience is that you are basically paying to remove the official ads from your disguised ads.
The various algorithm tweaks for engagement these past few years and the introduction of shorts have significantly degraded the content quality and many good channels have just thrown the towel.
Right, I want premium because it's a "fair" payment for the service I use and would help support the people who make good content, but the vast majority of those dollars go to the company who is solely at fault for encouraging and essentially requiring creators to use clickbait and fake thumbnails and put out slop every single day and never ever ever try doing something slightly different and consistently change things in ways that those creators do not want and hate. Every complaint you likely have about youtube content was forced by youtube for their own profitability. Don't like sponsorships? People mostly started seeking them out after Google cut ad payouts essentially in half with no warning. Don't like videos being way longer than they need to be? That's because youtube started paying out based on watch time instead of views and that encourages padding. Don't like censorship? It was Youtube's choice to shadowban/punish anyone who even said the word pandemic during a literal global pandemic that people probably wanted to talk about, even in passing. Buy into Youtube's new "channel member" feature in good faith? Well then Youtube changed it so that the videos that only members can watch are now shoved in front of everyone's eyeballs without your approval or desire or asking and it's really annoying to all your viewers. Don't like every video spending 30 seconds telling you to subscribe and "hit that like button" and then the fucking bell? That's because google decided that if your video didn't have a high enough click through rate, it wouldn't be shown to subscribers at all, and then introduced the bell for "subscribers but for real", and then even that hasn't really been honored. Youtube has for example suddenly decided that I should be shown low view russian language plagiarism of videos I like that have then been autodubbed back into english rather than the video from one of my subscriptions that was copied to make the russian video. How is that supposed to help anyone?
I will happily pay for youtube when they show that they want to encourage good content and help empower the people who make that good content, but Google doesn't want to do that because Mr Beast slop advertising to your kids is more profitable.
It's >12x the ad revenue they bring in per monthly-active YouTube user (suggesting they'd still be happy with a much lower price), and the price has increased 75% in the last decade (compared to the 40% real inflation over that period, suggesting they intend to continue increasing the price till public backlash or other effects reduce their total revenue). Plus they're boiling the frog, slowly adding ads back in to music and shorts for premium users, and we'll see how far that initiative goes.
> Plus they're boiling the frog, slowly adding ads back in to music and shorts for premium users
Do you have a source for this?
I do value watching unlimited youtube videos without ads, but if they're gonna add the ads back in, I'd easily stop paying for the one google product I currently pay for (and honestly the only reason I haven't already done this is laziness and convenience)
It launched at $9.99[1] and is now $13.99[2] which I believe to be a 40% increase, i.e. flat in real dollars. If like most people you subscribe for a year, it's only $11.67/mo.
This suggests that you initially subscribed to Google Play Music at their launch special price, and were later grandfathered into getting YouTube Premium at the same price, or that you used YouTube Music Key (yes, more product roadmap confusion!) with the same outcome, or that you signed up with a student account (this is still $7.99 today).
Sometimes people download it because there's no alternative. E.g. the YT app is not available in the play store in their country on that specific hardware, so the only way to be able to view YT is to use an alternative app like this one.
Technically correct but somewhat misleading. The app in question only asked for the following Google account permissions:
1. Manage your YouTube account
View and manage your videos and playlists
View and manage your YouTube activity, including posting public comments
2. View and manage your [YouTube] rental and purchase history
Your rental and purchase history may be displayed and accessible on this device.
I can't help but think that this is a "I have nothing to hide" argument. It's quite sisyphean to keep accounts perfectly segregated, therefore there's always a chance that personal information can be traced back and pieced together; which, in turn, has "boring-old security" implications: i.e., now someone possibly knows your habbits and times when you are at work
Many people have had multiple gmail accounts since 2004.
I have a gmail account used solely for google store and Android TV related verifications that's unlike other business, personal, registration, or spam email accounts.
The TV's in the house, smart wifi devices, and guest wifi accounts are on separate subnets, the NAS hosted media has limited read only keyhole access accounts for TV apps to use.
Whether it's SmartTube or any other app (iView, SBSOnline, Netflix, etc) it's wise to assume that anyone can be comprised by malware to sniff traffic for (say) bank account passwords, host bots for DDOS or mining, etc.
You risk losing your entire Google account along with all documents, photos, mail, and whatever else you have there. Enough stories of this happening if you look around.
If you're just a normal user the risk is very low. This almost always happens when someone using Google APIs for business purposes trips a fraud or spam detector.
> Also are you really using same account for gmail, your personal pictures/docs and youtube?
Most people use "sign in with Google" and tie their Google account to services well beyond the Google ecosystem, just to avoid creating a new entry in their password manager (lol). You think people are making new Google accounts for each Google service? That's hard for me to believe.
Its such a good client. With the YT Roku app, if you change playback speed, quality will drop to 720p or lower. SmartTube lets me watch at full 1080p with 1.5x speed.
This will inevitably be used as ammunition against sideloading, but it’s really a lesson in supply chain trust.
When we move away from walled gardens (which I support), the burden of verifying the "chain of custody" shifts to the user. Installing an APK that auto-updates with root/system privileges is essentially giving a single developer the keys to your living room.
We need better intermediate trust models—like reproducible builds signed by a quorum of maintainers—rather than just "trust this GitHub release."
The official announcement is very sparse on details. If the developer doesn't know how his digital signature (and update infrastructure?) was compromised, how does switching to a new signature help? It could get compromised in the exact same way.
The article linked here brings some more details, but also, the official statement doesn't use the word "compromised". If it did, well it would be a statement with different meaning than the one that was released for us to read.
A lot of people installed malware and, to be honest, nothing really happened. They might have had to change their passwords, but it could have been much much worse if Android didn't have good sandboxing.
I hope that Flatpak and similar technologies are adopted more widely on desktop computers. With such security technology existing, giving every application full access to the system is no longer appropriate.
You don't, but as far as I know, Flatpak or Snap are the only practical, low-effort ways to do it on standard distros. There's nothing stopping flatpak-like security from being combined with traditional package management and shared libraries. Perhaps we will see this in the future, but I don't see much activity in this area at the moment.
> Do not download SmartTube from any app store, APK websites or blogs; these were uploaded by other people and may contain malware or ads. SmartTube is not officially published on any app store. Sadly, the Google PlayStore does not allow ad-free Youtube apps using unofficial APIs.
Maybe should actually switch to releasing via F-Droid.
I'm a happy YouTube Premium customer too, as well as a happy SmartTube user. The UX is just so much better in SmartTube than the Youtube app. So much customization is possible, and we can completely eliminate every bit of "Shorts".
Most likely load arbitrary binary code and execute it. Which also makes it really hard to figure out what it actually did.
Among the options of what could be pushed:
- proxyware, turning your network into a residential proxy that can then be sold to anyone willing to pay for them to commit crimes, send spam, scrape, ... with your IP [I believe this is the primary suspect here]
- other standard botnet crap like DDoS bots
- exploits that try to break out of the sandbox to establish persistence, steal other data, or steal your Google account token
- code that steals all data/tokens that the app itself has access to
- adware that shows ad notifications etc.
- ransomware that tries to prevent you from leaving the app (of course this works best if they get a sandbox escape first, but I'm sure you can get pretty close with just aggressive creative use of existing APIs)
The internal auto updater of the app directly use github as source, was this also compromised ? If malware was only on some random apkmirror upload then it should probably be fine for most users.
I think this comment relates to the fact that article mentions AFTNews Updater app as a way to install SmartTube... not yet released version of software?
That's refering to Play Protect (virus scan-ish thing on Google branded Android) and whatever Amazon's equivalent is, not an app requested force uninstall of some kind.
That's exactly why I didn't want to trust this app with a google account, it's mandatory to use it. SmartTube also requires permission to install applications for it's updater feature so it's also possible if the attack was targeted for the malware to install another app to get persistance.
Although it's very unfortunate this happened, and it shows a lack of security practices, this could happen to any all developer. Compromising other apps you do install.
On my TV the app vanished and after some searching, it was disabled. I was kinda afraid Google had finally (ab)used it's Play Services power to ban it. But luckily it was because the developer marked it as compromised. All and all impact was minimised this way.
I doubt your statement about requiring a Google account to be connected, as you can also import subscriptions instead of granting access to your account.
Announcement from the dev, in the project GitHub and Patreon:
Friends, it seems that my digital signature has been exposed. This signature protects the app from fake and malicious updates, so there is a risk that someone may try to release counterfeit versions under my name.
To completely eliminate any threats, I’ve decided to stop using the current signature and switch to a new one. Because of this, the app’s identifier will also change. You don’t need to delete the old app (but it will no longer receive updates) — the new one will install as a separate app and will need to be configured again.
Thank you for your understanding and attention to security.[1][2]
---------------
There aren't any new apk releases on GitHub yet. However, concerningly, the SmartTube website (which I won't link directly) still offers undated "Stable" and "Beta" downloads.
It sucks to deal with security breaches as an indie or solo dev, but I'll be waiting for a more detailed postmortem before assessing whether to install a future release... Hopefully one that details new security procedures to guard both the dev's key and the production build environment.
Factory resetting my Shield as a precaution, but nothing sensitive was really on there, and Android's security model did exactly what it was supposed to and limited the damage. When using a third party app like this, it's prudent to use it signed out or else with a purpose specific Google/YouTube account which is connected to nothing else critical.
[1]: https://github.com/yuliskov/SmartTube/releases/tag/notificat...
[2]: https://www.patreon.com/posts/important-144473602
> To completely eliminate any threats, I’ve decided to stop using the current signature and switch to a new one. Because of this, the app’s identifier will also change. You don’t need to delete the old app (but it will no longer receive updates)
I'm curious if this is the best idea? Like, if you don't read all the GitHub releases thoroughly or miss the HN material, and instead you just auto-install updates, you downloaded a malware-infested version which will be on your device until you learn otherwise?
At this point, Play Protect will remove the apks with the old signature because the developer marked the old signature as compromised. The developer acted correctly and responsibly in doing so, and seems to be working out establishing a new setup now, including a new signing key.
For those using sketchy devices without Play Protect and also installing random apks without an understanding of security or Android's trust-on-first-use model, there's not much anyone can do.
from my understanding, https://github.com/yuliskov/SmartTube/releases/download/late... links to 30.56, which the newest clean version. Old app stopped at 30.48.
I installed 30.56 from the git link on my Shield. It did not overwrite the old one, as it has the old signature. I manually uninstalled 30.48. I did not use the backup/restore option in either as I didnt want to dirty any data in the new app.
For me, the link to just the releases returns an empty list at present:
https://github.com/yuliskov/SmartTube/releases/
Backup/restore is just XML files that you can open and inspect
> SmartTube’s developer told me that the computer used to create the APKs for the project’s official GitHub page was compromised by malware. As a result, some official SmartTube releases were unintentionally released with malware.
Seems it's lacking in information about how a malware manages to compromise supposedly signed releases? Do authors not have the production signing keys behind a password or similar, and review 100% of the changes before they deploy stuff?
I swear the more time goes on, the more I'm loosing faith in the entire ecosystem. People running random binaries on the same device they do banking on always surprised me, but now developers manages to get malware on their developer machine and are publishing random binaries to other strangers???
the malware need not actively create a release like a worm, it can just infect every build and if you don't check carefully, your next regular release will contain it.
is one of the reason we fight holy wars for SSO and strict login rules even for Dev or QA environments -- if you can get in during a dev build you can get stuff in there that carries through.
maybe QA will find it... but they're testing X number of JIRA tickets based on Y epics and if it's not on the list they're not looking...
I really hope Google doesn't pick this out (and similar events) as further justification for getting rid of APK-based installation.
Blocking file-based installations was never planned. It's fake news and always has been. It's all about requiring code signing for all code so that malware-spreading authors can be easily blocked by adding their signing key fingerprint to the blocklist.
It doesn't matter whether the app is installed via Play Store, Huawei's or Samsung's store etc., or from APK.
This is a drastic misrepresentation of the situation. All Android apps already have code signing, you cannot install an app unless it has a signature, and any future updates are blocked unless the signature matches. This is how it's been practically since the start of Android, it's part of the security model to prevent something like a malicious Firefox APK stealing your cookies.
What's new is that they were gonna block installations outside of Google Play, unless the developer has signed up for Google Play Console and has gone through a verification process there, whitelisting their signing key fingerprint. However, they've walked back on this and said they'll create a new "advanced flow" for "advanced users" that's "designed to resist coercion" to bypass this restriction. Door in the face technique IMO, the existing 12-step process to installing an app was already complicated enough.
So effectively the result is that file based installations will be blocked unless Google has specifically whitelisted their key through the Google Play Console verification process, or the user goes through this "advanced flow" which we're yet to see any details of
What an absolute boatload of lies.
I am currently in process of "verifying" my identity with Android Developer console.
In addition to proof of identity (e.g. passport/driver license) Google is demanding a proof of address, government registration, this month's rental agreement, foreign passport... The process is stuck in limbo because months-old documents are deemed "outdated", and I am constantly threatened that my verification request (!) will be denied because of "exceeding allowed number of attempts" (!!)
It shares the same principle as silent Discord account bans and other "verification" harassment schemes, such as Upwork account verification. The excess developers — Google's potential competitors — need to be banished from platform as quickly and cheaply as possible, so that Google can peddle their own spyware unimpeded.
"Malware spreading authors" or "ToS violating authors" or "authors of piracy apps"?
It's kind of shocking to me that so many people would download an app like this and sign in using their actual YouTube account.
It's not just cost and ads. It's having the possibility to reduce attempts to manipulate my inner reptile brain. With various clients, you can disable shorts, recommended, you have sponsorblock, you can replace youtube-face-thumbs with actual thumbs and get crowd-sourced titles that better reflect the contents.
I also don't need to manually go set speed to 1.75x and enable subs in english, it's a one-time setting. _Further_ I can download a video locally, for whatever reason (later viewing, bw throttling, risk of deletion, etc).
As if that weren't enough, I don't have to watch videos logged in, my client is just set up to download my select channels.
I now see zero use of a youtube account.
It has a far better user interface than the official YT interface. And that interface can be heavily customized to your exact preferences.
My wife has YT Premium, and we find ourselves watching YT in SmartTube just because the interface is so much better.
Same here, we also both have YT Premium and use SmartTube. Our dislike of "Shorts" pushed everywhere in the YT app is what got us to switch to SmartTube. We watch Youtube on our 65" TV via Chromecast, so shorts are just really a crap experience and we do not want to see them at all. SmartTube lets us eliminate them, as well as all the other awesome UI customization makes it a far superior experience.
The cost of being brainwashed by ads and sponsor slots is also high.
Even with YouTube Premium you don’t get the feature set you get with SmartTube. The sponsor block integration on my TV is brilliant.
Why?
I think it's more shocking to people how much YouTube Premium costs.
Is $14 dollars for ad-free, unlimited access to literally billions of videos really a steep price? Personally if I were to get rid of all but one of my media subscriptions I would stick with this one, since it's got everything - entertainment, education, inspiration, you name it.
$14 is two days worth of living in my country for your average man on the street, among many other similar places. Imagine if you had to pay $200 to watch YouTube, that's how much these services cost for us.
They refuse to correct for purchasing power parity and are left with nothing in the end. Steam seems to do very well in comparison.
(I don't watch YouTube even for free, but practically everybody I know does without paying anything, and it makes a lot of sense).
There are a lot of things in this world besides YouTube Premium, which cost $14 or more. That some people in the world are very poor is no kind of argument as to how companies should price their products.
"Purchasing power parity" is a non-concept for almost 100% of companies and products. But YouTube Premium is priced differently in different regions. Sometimes much cheaper than $14.
The person you're responding to is not debating that the companies are setting the wrong prices, so no need to try to convince them that the companies are already setting prices "the right way".
They're explaining for people who don't seem to understand, why people are fine signing in to these kind of 3rd party apps in the first place, because the subscription price ends up being what these people earn in days, not hours.
A semi-successful YouTuber in a low-income country is basically an infinite money hack. Neat little form of advance scouting, like this forum.
I am not going to watch billions of Videos.
Its not entirely ad free, just fewer ads, AFAIK sponsored segments remain so there are still ads, sometimes quite lengthy ones.
$14/month is $168 an year, and if you subscribe to multiple other video services the annual total is going to be quite high.
sponsored segments are skipped with a single button push, so they are negligible. it also comes with yt music
YouTube is 10x the quality and 10x the quantity than any other video service.
As for the ads, YouTube Premium now has built-in sponsor skip. They can't really block sponsored segments, as that is a freedom of speech issue and also something they can't easily determine. Creators can just omit that some product is sponsored.
> YouTube is 10x the quality and 10x the quantity than any other video service.
I guess you could say YouTube surfaces a larger span of quality, from really shit quality to incredible high quality, which I guess is cool. But since they provide zero tools to actually discover the really high quality, and on top of that decide they know better what I want to watch than me (like the subscriptions page not starting with the last published video), does that really matter?
> as that is a freedom of speech issue
It isn't. Freedom of speech in the US (since Google is based there, and maybe you too?) is about the government placing restrictions, not companies or individuals. As a individual (or company), you're free to limit the speech of anyone who want on your platform, for any reason. You might face public outcry, but it isn't a freedom of speech issue as it's on a private platform in the first place.
They provide all the tools to discover high quality videos and channels. It's called "like and subscribe". If you use those features, it doesn't take long before YouTube shows you only high quality videos. And there's also the dislike button and "Do not recommend this channel again", if you need.
> Freedom of speech in the US...
Freedom of speech is a subject which is much larger than the US constitution. I'm not saying YouTube isn't legally allowed to block sponsored segments. I'm saying that they might not want to because they don't want to limit their creators' speech in that matter. Especially considering how easy it would be to side-step. What would be their reason? They've already made it easy to skip sponsored segments.
Youtube is both 10x and 0.1x the quality, and the official app has no way to filter it. They even removed the feature (downvotes) to let the user filter it.
And the proliferation of AI videoslop is only making the 0.1x side larger and larger
>Creators can just omit that some product is sponsored.
Not true in the US, where the FTC requires (and has required for decades) disclosure by the creator to the viewer whenever a payment has been made to the creator to promote anything. On Youtube, this is typically done by the creator's saying (in the video) "this video is sponsored by Foo Corporation", or, "I wish to thank the sponsor of this video, Foo Corporation".
Personally, I'm unhappy with Premium's built-in sponsor skip. For one thing it becomes available to me only after enough previous viewers have manually skipped over the sponsored segment. For another, it sometime skips ahead too far (probably because the viewers who manually skipped weren't precise in skipping exactly to the end of the sponsored segment). I'd much rather Youtube allowed the uploader to declare (to Youtube) that the upload is free of sponsors (e.g., by checking a box) and then punishing the uploader somehow if he routinely declares falsely. With that information, Youtube could and IMHO should give me the option of telling Youtube somehow (e.g., by checking a box) that I prefer for sponsored videos to be omitted from my recommendations.
I don't think individual YouTube creators are too much concerned about FTC rules and regulations.
Although I like your idea about creators themselves having to declare to YouTube their sponsored segments.
Individual Youtube creators in the US most certainly are concerned about the FTC and about this rule specifically because they do not want to find themselves in court explaining to a judge why they shouldn't pay a big fine.
Also, if the creator doesn't follow the rule, the sponsor can be fined by the FTC, so even before the FTC notices the violation, the sponsor will probably notice and refuse to continue the relationship unless the creator's videos comes into compliance with the rule.
Again, this rule has been in effect for decades in the US. Advertisements in the US must be labeled as such. Ditto paid endorsements.
SponsorBlock helps with them.
I do not use it because I do want to support the people I watch. I just skip manually if it is of no interest.
I have YT Premium that pays much more than sponsors. That's also why I just use Firefox instead of third party apps to watch YT.
essentially every YouTuber I've watched who discussed their financials said that their sponsorships brought in several times more money than all forms of YouTube money.
which is a very niche slice, and I have no idea how representative it is in aggregate. but sponsorships happen because they pay well enough to annoy every viewer, not just ones that aren't using the better-paying Premium - they generally are not cheap, to say the least.
Linus Tech Tips disclosed their finances: https://www.reddit.com/r/LinusTechTips/comments/1jjplow/ltt_... - and their sponsorships are less than the YT ads income.
If you look at Premium, it's about 100x more lucrative than regular views. So I'm pretty sure I'm providing more money to creators than the skipped ads.
To be clear: I completely believe that Premium is a major source for many people. 100%. I just haven't seen many examples of it, outside tubers that have zero sponsorships (because they're small and/or not doing the low-value slightly-shady ones that get spammed everywhere). I'm thrilled that Premium seems to pay relatively well, it's better for everyone to move away from ads where possible.
LTT though is a rather significant outlier in terms of subscribers (16.6 million right now). For truly large channels it's reasonable for the equation to be different.
And the equation for them really is different. They're a company with ~100 employees¹ and YouTube and video sponsorships came out to just 11.6% (ads AND premium) and 9.2% respectively of their multi-person company income. People claiming "SponsorBlock steals from creators" aren't talking about LTT, they're talking about smaller creators for whom YouTube stuff is a majority of their income.
Plus, like. Ads+premium lumped into one. It wouldn't surprise me if premium was lower than sponsorships.
1: https://en.wikipedia.org/wiki/Linus_Media_Group
I know a couple of other creators, and a YT Premium view for them is about 10x more lucrative than sponsorship+ads.
It completely changes if we're talking about non-Premium views.
I suspect we're in different niches then or something. If ya don't mind sharing / have links handy, do you have any examples? I'm curious what kind of channel it works well for.
I can try to hunt mine down, but most of the examples I've had were from a couple years ago, and YouTube's history is rather hard to search for stuff like that :| Not high odds of success.
These are niche Russian-language channels (@Varlamov, @Max_Katz). They disclosed their finances to drive up Patreon/Youtube subscriptions because Youtube stopped monetization from Russia.
I've been trying to find public numbers for English-language channels, but wow. So much slop.
When the alternative is the exact same thing you describe but for $0 dollars, then yes.
For sure! $0.00*
* $0.00 plus additional risk that the author of the alternative you are using is compromised, you end up using a malicious version of that alternative, and get pwned.
Obviously for some/many, that trade-off is totally cool. But it needs to be included in the analysis, otherwise you're being dishonest.
Not to mention included YouTube Music. It's one of the few subs I pay for, because I watch a _lot_ of YouTube on the TV. And also like to have it in the background for "Podcast" style videos where the video is really only an accompaniment.
That's actually worse. They used to have a separate YouTube subscription. I don't want (to pay for) YouTube Music, because I already have Apple Music and Tidal, which I prefer.
This is not accurate. The entire time that YouTube Premium (Red) existed, a subscription to it always included the music service.
Also, since Youtube Music is just a skin over Youtube, it's not true that your subscription must necessarily be cheaper if there were no Youtube Music.
I'm the opposite. With YouTube Music, I don't need Apple Music, Spotify, Tidal, or any other service. For me, YouTube Premium is a good deal, and other than Fubo TV it's the only streaming media subscription I have.
14 dollars a month for a decade is $1680.
To save $1680 I'd prefer to just use an adblocker (which I have done for the past decade)
The hacker boy one day came back from school panting, sweating and exhausted. His father asked him:
- What happened to you?
- I figured that if I ran behind the bus, I'll save the $3 dollars the ticket costs-
The hacker father smacked his son hard on the head and cried:
- You fool! To run behind a bus like that! You should have ran behind a taxi instead and you would have saved at least $50 dollars!
Then they both watched YouTube together the rest of the evening, thinking eagerly about all the juicy money they would save over the next decade.
3 dollars is like a week of bus fares here and I remember a friend would walk back home from school to keep half the money.
Yes, and you choose to risk losing the most important platform to humanity next to Wikipedia. Youtube should be a public service.
Insane hyperbole here, this guy's adblock = risking humanity losing it's 2nd most important platform owned by one of the most profitable companies in the world
OpenAI thought of it first, should YouTube get a government backstop too?
I am dubious about the importance of Youtube. If it disappeared tomorrow how long would it take for most videos to reappear elsewhere? Some of the creators I watch do have the videos available elsewhere. Veritasium is on Odysee, lots of people are on Nebula (and release videos there that are not on Youtube), etc.
I think there is a good argument that having a single dominant platform has been harmful.
Imo, most videos would never be re-uploaded somewhere else. Currently-active creators that choose to keep a backup copy of their videos are probably the minority of creators.
YouTube wouldn't exist as a public service. there would be no incentive to make videos
Why wouldn't there be incentives? If you are thinking monetary then the existence of youtube disproves your statement.
Let’s not get too hasty comparing YouTube to Wikipedia. Maybe what you watch on YouTube is interesting and educational, but let’s not forget it’s also a major platform for misinformation, propaganda, conspiracy theories, radicalisation, scams…
That's extremely subjective, but I'd rather save that $14 a month towards retirement. And if YouTube was only available with ads... well, that's no videos for me, maybe for the better, I would waste less time.
Sure, and you're free to
1. Save $14 for retirement and not watch Youtube
2. Save $14 for retirement and watch Youtube with ads
3. Pay $14 a month for Youtube without ads
The only option that's not fair is expecting private companies and creators to give you entertainment and its delivery with nothing in return
Google uses your data and habits for profit. Dont pretend it's free.
Google is free to block me / my IP / ban my account.
In high school I knew a kid who would go around looting loose change from unlocked cars. He'd pull the driver side door open like it was his car, hop in, loot the center console, then hop out like nothing happened. He wouldn't take valuables (as far as I knew), just change, so maybe a few bucks per car.
His rationale? "Nobody will cry over a few missing quarters and they are free to lock their doors anyway."
Blocking ads is the same as stealing.
You are very intelligent.
The reason it's not stealing is because the cost to the serve content is tiny (spare change) and the sites don't stop you from viewing it with ad-blocker (unlocked doors).
The reason its not stealing is because stealing means to remove someone of the ownership of something they own.
You are able to make your own définition though. The clear mark of a very intelligent mind.
I did not invent the definition of "IP theft" or the laws around it.
But I suppose strictly speaking, theft is not the same word as stealing. I was not smart enough to get that. You're right, and I apologize.
Not that ad-blocking is illegal, it's not, but it does bypass payment to creators for content they provide. Which functionally acts the same as theft.
It is yes. Your ability to create new meaning for words is awesome.
I get cat videos through messengers.
$14 dollars better spent on liberapay
For something that was previously free with only unintrusive ads, yes.
> for ad-free
Most youtube content being disguised ads, this cannot be true.
>ad-free
hasn't been in over a year
Youtube premium is still ad-free. There is a Youtube premium lite which is kinda-ad-free-but-not-really, but the full ad-free one still exists.
youtube premium has sponsorblock integrated now?
basically, yeah. there's a white fast forward button that appears during frequently fast forwarded sections, which unsurprisingly happens to be sponsor sections.
??? I've been on youtube premium / redtube since the beginning and I've been served 1 ad incorrectly in that time.
> YouTube premium / redtube
I just googled redtube and uh... are you sure?
YouTube Premium was originally called YouTube Red. Grandparent poster may have made a Freudian slip. :)
I know, I was just being... sassy. Partly because I didn't actually need to google it.
I’ll never forget how out of touch they are :)
YouTube Red was the previous name of YouTube Premium, probably renamed because of the unfortunate name clash you just noticed.
That's a very generous characterization of what most YouTube content is.
My experience is that you are basically paying to remove the official ads from your disguised ads.
The various algorithm tweaks for engagement these past few years and the introduction of shorts have significantly degraded the content quality and many good channels have just thrown the towel.
Right, I want premium because it's a "fair" payment for the service I use and would help support the people who make good content, but the vast majority of those dollars go to the company who is solely at fault for encouraging and essentially requiring creators to use clickbait and fake thumbnails and put out slop every single day and never ever ever try doing something slightly different and consistently change things in ways that those creators do not want and hate. Every complaint you likely have about youtube content was forced by youtube for their own profitability. Don't like sponsorships? People mostly started seeking them out after Google cut ad payouts essentially in half with no warning. Don't like videos being way longer than they need to be? That's because youtube started paying out based on watch time instead of views and that encourages padding. Don't like censorship? It was Youtube's choice to shadowban/punish anyone who even said the word pandemic during a literal global pandemic that people probably wanted to talk about, even in passing. Buy into Youtube's new "channel member" feature in good faith? Well then Youtube changed it so that the videos that only members can watch are now shoved in front of everyone's eyeballs without your approval or desire or asking and it's really annoying to all your viewers. Don't like every video spending 30 seconds telling you to subscribe and "hit that like button" and then the fucking bell? That's because google decided that if your video didn't have a high enough click through rate, it wouldn't be shown to subscribers at all, and then introduced the bell for "subscribers but for real", and then even that hasn't really been honored. Youtube has for example suddenly decided that I should be shown low view russian language plagiarism of videos I like that have then been autodubbed back into english rather than the video from one of my subscriptions that was copied to make the russian video. How is that supposed to help anyone?
I will happily pay for youtube when they show that they want to encourage good content and help empower the people who make that good content, but Google doesn't want to do that because Mr Beast slop advertising to your kids is more profitable.
So I pay for Nebula instead.
I hate google, and I refuse to give them any money.
Thanks for paying $14/month to support my ad-free yt-dlp archive, shmuck.
Usually people who are a leech, a drain on society don't go around bragging about it, but you do you.
$14 and I still have to run several plugins just to make the site actually usable. No thanks.
It's >12x the ad revenue they bring in per monthly-active YouTube user (suggesting they'd still be happy with a much lower price), and the price has increased 75% in the last decade (compared to the 40% real inflation over that period, suggesting they intend to continue increasing the price till public backlash or other effects reduce their total revenue). Plus they're boiling the frog, slowly adding ads back in to music and shorts for premium users, and we'll see how far that initiative goes.
> Plus they're boiling the frog, slowly adding ads back in to music and shorts for premium users
Do you have a source for this?
I do value watching unlimited youtube videos without ads, but if they're gonna add the ads back in, I'd easily stop paying for the one google product I currently pay for (and honestly the only reason I haven't already done this is laziness and convenience)
> the price has increased 75% in the last decade
It launched at $9.99[1] and is now $13.99[2] which I believe to be a 40% increase, i.e. flat in real dollars. If like most people you subscribe for a year, it's only $11.67/mo.
1: https://www.cnet.com/tech/services-and-software/youtube-free...
2: https://www.youtube.com/premium
I was going off the 7.99/mo price I first paid (which they've recently stopped grandfathering in). Was that not a common amount people paid?
This suggests that you initially subscribed to Google Play Music at their launch special price, and were later grandfathered into getting YouTube Premium at the same price, or that you used YouTube Music Key (yes, more product roadmap confusion!) with the same outcome, or that you signed up with a student account (this is still $7.99 today).
I have premium but also this app. It has SponsorBlock and better UI customization than the official one.
Sometimes people download it because there's no alternative. E.g. the YT app is not available in the play store in their country on that specific hardware, so the only way to be able to view YT is to use an alternative app like this one.
> the only way to be able to view YT
Surely you can use a web browser?
The user experience accessing YouTube through a web browser on a TV (the main target audience for SmartTube) is less than ideal.
TV and set-top box browsers tend to be slow and fiddly to use from a TV remote. (And often running on underpowered hardware).
Google Account.
Not Youtube account.
Technically correct but somewhat misleading. The app in question only asked for the following Google account permissions:
I really couldn't care less about me youtube account
I can't help but think that this is a "I have nothing to hide" argument. It's quite sisyphean to keep accounts perfectly segregated, therefore there's always a chance that personal information can be traced back and pieced together; which, in turn, has "boring-old security" implications: i.e., now someone possibly knows your habbits and times when you are at work
my "personal" information there is as personal as my profile here
YouTube accounts and Google accounts have been one in the same since 2009.
Many people have had multiple gmail accounts since 2004.
I have a gmail account used solely for google store and Android TV related verifications that's unlike other business, personal, registration, or spam email accounts.
The TV's in the house, smart wifi devices, and guest wifi accounts are on separate subnets, the NAS hosted media has limited read only keyhole access accounts for TV apps to use.
Whether it's SmartTube or any other app (iView, SBSOnline, Netflix, etc) it's wise to assume that anyone can be comprised by malware to sniff traffic for (say) bank account passwords, host bots for DDOS or mining, etc.
You don't use a dedicated account for youtube?
Obligatory call to free yourselves from having GMail as your (only) main email and especially to not tie it to YT or other unrelated services.
I can absolutely imagine my YT accounts at some point getting banned for using adblock, some stupid private upload or some comment.
Having your own domain name is the best option (ideally not hosting on gsuite!)
one AND the same
how does this matter?
You risk losing your entire Google account along with all documents, photos, mail, and whatever else you have there. Enough stories of this happening if you look around.
If you're just a normal user the risk is very low. This almost always happens when someone using Google APIs for business purposes trips a fraud or spam detector.
The risk always exist.
Also are you really using same account for gmail, your personal pictures/docs and youtube?
> Also are you really using same account for gmail, your personal pictures/docs and youtube?
Most people use "sign in with Google" and tie their Google account to services well beyond the Google ecosystem, just to avoid creating a new entry in their password manager (lol). You think people are making new Google accounts for each Google service? That's hard for me to believe.
Not necessarily everyone but I would expect the population visiting hacker news to do so.
you risk that regardless, which is why I don't rely on them at all
thats super cool! some people care a lot, some people dont care at all. what a strange world.
Its such a good client. With the YT Roku app, if you change playback speed, quality will drop to 720p or lower. SmartTube lets me watch at full 1080p with 1.5x speed.
No ads is of course a big plus too.
This will inevitably be used as ammunition against sideloading, but it’s really a lesson in supply chain trust.
When we move away from walled gardens (which I support), the burden of verifying the "chain of custody" shifts to the user. Installing an APK that auto-updates with root/system privileges is essentially giving a single developer the keys to your living room.
We need better intermediate trust models—like reproducible builds signed by a quorum of maintainers—rather than just "trust this GitHub release."
The official announcement is very sparse on details. If the developer doesn't know how his digital signature (and update infrastructure?) was compromised, how does switching to a new signature help? It could get compromised in the exact same way.
The article linked here brings some more details, but also, the official statement doesn't use the word "compromised". If it did, well it would be a statement with different meaning than the one that was released for us to read.
A lot of people installed malware and, to be honest, nothing really happened. They might have had to change their passwords, but it could have been much much worse if Android didn't have good sandboxing.
I hope that Flatpak and similar technologies are adopted more widely on desktop computers. With such security technology existing, giving every application full access to the system is no longer appropriate.
Why do you need Flatpak for sandboxing?
I really dislike Flatpak for installing multiple identical copies of the dependencies.
Just give me some easier to use tools to configure the access that each application has.
> Why do you need Flatpak for sandboxing?
You don't, but as far as I know, Flatpak or Snap are the only practical, low-effort ways to do it on standard distros. There's nothing stopping flatpak-like security from being combined with traditional package management and shared libraries. Perhaps we will see this in the future, but I don't see much activity in this area at the moment.
Really hate this "something was found" announcements
Which channel distributed the compromised apk? What is the signature of the payload injected? What is the payload, what does it do?
Thought it was worth mentioning the developer is Ukrainian. If it was a targeted attack, certainty could be state-sponsored by Russia
[dead]
> Do not download SmartTube from any app store, APK websites or blogs; these were uploaded by other people and may contain malware or ads. SmartTube is not officially published on any app store. Sadly, the Google PlayStore does not allow ad-free Youtube apps using unofficial APIs.
Maybe should actually switch to releasing via F-Droid.
Happy YouTube Premium customer here
I'm a happy YouTube Premium customer too, as well as a happy SmartTube user. The UX is just so much better in SmartTube than the Youtube app. So much customization is possible, and we can completely eliminate every bit of "Shorts".
What can malware in an apk do?
Most likely load arbitrary binary code and execute it. Which also makes it really hard to figure out what it actually did.
Among the options of what could be pushed:
- proxyware, turning your network into a residential proxy that can then be sold to anyone willing to pay for them to commit crimes, send spam, scrape, ... with your IP [I believe this is the primary suspect here]
- other standard botnet crap like DDoS bots
- exploits that try to break out of the sandbox to establish persistence, steal other data, or steal your Google account token
- code that steals all data/tokens that the app itself has access to
- adware that shows ad notifications etc.
- ransomware that tries to prevent you from leaving the app (of course this works best if they get a sandbox escape first, but I'm sure you can get pretty close with just aggressive creative use of existing APIs)
In an article about not downloading malware: "You can use my downloader! It's totally safe, bro!"
Yeah, I'll pass.
The internal auto updater of the app directly use github as source, was this also compromised ? If malware was only on some random apkmirror upload then it should probably be fine for most users.
Apparently, yes. My guess is it was the Shai-hulud npm malware leaking their Github keys.
I think this comment relates to the fact that article mentions AFTNews Updater app as a way to install SmartTube... not yet released version of software?
>>"It is likely the presence of this malware that caused Google and Amazon to forcibly uninstall SmartTube on some devices, ... "
Where can I read more about *unrequested uninstalls*? Google search only shows results about how impossible it is to remove phone default apps.
That's refering to Play Protect (virus scan-ish thing on Google branded Android) and whatever Amazon's equivalent is, not an app requested force uninstall of some kind.
[dead]
[dead]
So we all agree google is probably behind this, right?
That's exactly why I didn't want to trust this app with a google account, it's mandatory to use it. SmartTube also requires permission to install applications for it's updater feature so it's also possible if the attack was targeted for the malware to install another app to get persistance.
Although it's very unfortunate this happened, and it shows a lack of security practices, this could happen to any all developer. Compromising other apps you do install.
On my TV the app vanished and after some searching, it was disabled. I was kinda afraid Google had finally (ab)used it's Play Services power to ban it. But luckily it was because the developer marked it as compromised. All and all impact was minimised this way.
I doubt your statement about requiring a Google account to be connected, as you can also import subscriptions instead of granting access to your account.
> it's mandatory to use it
I've been using it for years and I've never had to sign in.