Hackers are hiding computer viruses in film subtitles, security experts warn

Ransomware message on a computer screen
Researchers warned the attack could be used to install ransomware Credit: AFP

Hackers can hide computer viruses in online video subtitles and use them to take control of computers, security experts have warned.

The attacks are embedded within the subtitle files that accompany many illegally downloaded films, and easily bypass security software and antivirus programs designed to keep computers safe.

Check Point, the security group that discovered the flaw, said millions of people who use video software including to stream or play films and TV shows on computers could be at risk. 

They warned that the attack lets hackers take "complete control" over any type of device using the software, including smart TVs. It identified four programs - VLC, Kodi, Popcorn Time and Stremio - but said there could be more.

"We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerabilities reported in recent years," they said.

Many videos do not come with their own subtitles, but computer media players often automatically download special files from a central online repository.  Because they are perceived as harmless text files and use a variety of different formats, the software does not check them for viruses.

However, Check Point showed it was possible to include debilitating computer viruses within the files that are activated as soon as subtitles are switched on. They were also able to manipulate the rankings on opensubtitles.org, the popular online database, so that video software would automatically download the virus-filled files.

"This method requires little or no deliberate action on the part of the user, making it all the more dangerous," the researchers said.

VLC, Popcorn Time and Kodi are commonly used to stream or download pirated films, as well as those from legitimate sources. They could be breached when run on smart TVs and mobile devices as well as PCs.

Check Point warned that once attackers took control of a system, they could steal files or demand a ransom from victims. "The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass denial of service attacks, and much more," they said.

VLC, Kodi, Popcorn Time and Stremio said they had developed patches to protect against the attack, although many users will not have updated to the latest software. The latest versions of the software are available to download on their websites.

 

License this content