Malicious Movie Subtitle Files: A New Cyber Security Threat

Hackers have come up with a new method to trick popular media player platforms such as VLC, Kodi (XBMC), Popcorn-Time and A remote access tool is placed in movie subtitle files and later used to take over user devices.

Subtitle Cyber Attack
Subtitle Cyber Attack

Hackers are exploiting vulnerabilities found in four popular streaming platforms i.e. VLC, Kodi (XBMC), Popcorn-Time and to mount cyber attacks and threaten millions of users worldwide, reported Check Point, an IT-security software.

Check Point published the research findings on May 23, 2017, observing that “We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.

The virus is served through the existing distribution channels such as the popular media players who have their number of users in millions.

How The Attack Takes Place?

The latest subtitle attack hides a remote access tool in movie subtitle files. After the file is opened by the media player, the attacker gains access to the user’s device.

Hackers are exploiting vulnerabilities found in four popular streaming platforms i.e. VLC, Kodi (XBMC), Popcorn-Time and to mount cyber attacks and threaten millions of users worldwide, reported Check Point, an IT-security software.

Since each media player tries to serve multiple subtitle formats for better coverage across their user base, there are plenty of forums for the attackers to slip by their infected files. These files (usually a .srt or .sub) are included in torrents movie downloads.

Additionally, the media player companies parse these files using different methods leaving a key vulnerability in their security and audit process.

Infected files are delivered via movie subtitle text files loaded by the user’s media player. Considered as a trusted source, the subtitle files contain the malicious virus and slip by the standard security measures of media players and computer systems.

The Subtitles Supply Chain

The supply chain for subtitles is complex, with over 25 different subtitle formats in use, all with unique features and capabilities. This fragmented ecosystem, along with limited security, means there are multiple vulnerabilities that could be exploited, making it a hugely attractive target for attackers,” said Check Point’s Vulnerability Research Team Leader, Omri Herscovici while talking to

There are numerous websites that contain subtitle repositories which can be manipulated in a way that media players end up downloading the malicious subtitle files. Three of the most popular subtitle websites are Open Subtitles Org., Movie Subtitles Org., and

By manipulating the website’s ranking algorithm, we could guarantee crafted malicious subtitles would be those automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain, without resorting to a Man in the Middle attack or requiring user interaction,” wrote the Check Point Research Team.

Cyber Attack Example
Source: Check Point

The result is that hackers can take over devices such as set-top boxes, PC, a smart TV, or a mobile device on which users have installed the media player. Seems if you can have a file that media player can treat as a subtitle file (despite it being a malicious file containing the virus), there are good chances of circumventing the conventional anti-virus software.

What To Do About It?

As of now, the company publishing this research has not divulged technical details of the vulnerability. Check Point shared its findings with the vulnerable media player companies. The company’s blog notes that “Some of the issues were already fixed, while others are still under investigation. To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point.”

Hackers are improvising their cyber attacks. Only a few weeks ago, a major ransomware attack crippled hospitals across the UK. The use of new and nontraditional cyber attacks show that hackers constantly innovate their ways to mount new kinds of attacks to take over devices and user accounts.


Please enter your comment!
Please enter your name here