Popular streaming platforms like VLC, Kodi, PopcornTime, and Stremio are in question here, but most of them have fixed the vulnerability already.
Just a few hours ago, we told you about the new Cloak & Dagger malware affecting all Android devices, and now a separate vulnerability has emerged in the form of malicious subtitles in media players. Researchers from Check Point Software Technologies have discovered a new attack vector that lets hackers take control of your device in full when you add infected subtitle files to popular streaming platforms like VLC, Kodi, PopcornTime, and Stremio. It’s important to note that this vulnerability applies to not just Android smartphones but also PC computers and smart TVs.
As you can see from the video above, these cyberattacks can be carried out relatively simply: because of the poor state of security in the aforementioned media players, hackers can upload malicious subtitles online (i.e. OpenSubtitles.org), and once it’s opened by the user, the attacker can take full control of the user’s device. The problem is that some media players download subtitles from the web automatically, and hackers can even manipulate the online ranking algorithm to ensure that their infected subtitle files are chosen. This means that millions of users worldwide could be at risk. The researchers declined to detail how the vulnerability works in order to protect users.
Kodi has updated its Android app, but unfortunately, VLC’s app for Android might still be vulnerable since its last updated date still shows as August 2016 in the Play Store.
The good news is, however, that most of these media players have already fixed the issue and released an update: if you are a PC user, PopcornTime’s update can be downloaded manually here, Kodi’s update is available here, VLC’s update is available here, and Stremio’s update is available here. Kodi has also updated its Android app, which can be downloaded from the Play Store. Unfortunately, VLC’s app for Android might still be vulnerable since its last updated date still shows as August 2016 in the Play Store.
Do you use any of these media players? Have you updated them to make sure you’re not susceptible to these attacks? Let us know by leaving a comment below.