We enter our streaming platform, play a movie and choose the subtitles. All ready for our moment of leisure and relaxation, and also a way for us to hide in our computer malicious software camouflaged in malicious subtitles.
This is what Check Point has discovered, a malicious software gateway exploiting an existing vulnerability in popular streaming platforms . A new vector malicious software that does not require any hook like download the attachment of an email or click on a banner, but it happens silently after giving the "play".
Lights, camera and remote control
The attackers have been quite skilful giving with this way of entry and especially in the application of the attack, since as we said do not skip any window or it is not a mail or message that arouses suspicions. In addition, it is a vulnerability that currently exists in services such as Popcorn-Time, VLC , Kodi (XBMC) or Stremio ** among others, so at Check Point estimate that there are a total of 200 million users affected.
How does it fit into our system? The real entry vehicle of the software are malicious subtitles that are downloaded (either by the user or by the streaming service) to execute them when viewing content on such platforms. But the key is not only to take advantage of the ingenuity of the user, but in that the antivirus "understand" these subtitles as innocuous text files and do not detect it.
And what does he do? While we enjoy our movie the software acts remotely, opening the door to the attacker to take control of our device . In other words, from the moment the subtitle file is opened our computer, television or mobile device control is left in the hands of the attacker, having access to all our information and can install more malicious software.
Touch to prevent and update
They are days of computer security alerts, and in recent weeks we have seen (or have been victims) of massive attacks on various types of malicious software such as "WannaCry" ransomware , which hijacks user information. In this case the kidnapping is total, taking control of the device and we do not even have to be the ones who download the subtitles, since the algorithm that establishes the ranking of sites like OpenSubtitles.org can be manipulated, so that the streaming service Download automatically.
At the moment the vulnerabilities have been found in these four platforms that we have mentioned, but since it is related to the way of processing the subtitle files, in Check Point they believe that there will be more affected players. Do you use any of them? Take a look at these links, given that the affected platforms have been making available solutions as they have been updated but not on the official page in all cases:
- Kodi: available version in code in Github. According to TorrentFreak, version 17.2 will be available this week.
- VLC: updated version with major vulnerability repair available for download, although all bugs will be fixed in version 2.2.6 that will be published later.
- Popcorn-Time: An updated version is available .
- Stremio: they have updated the version of its official page.