Subtitles Malware: What It Is, and How to Avoid It

What files come to mind when you think of potentially dangerous filetypes? .exe files are definitely up there, as are app downloads from shady websites. Quite low on that list will be files such as .txt, which are usually highly trusted not to contain a virus.

This train of thought that something is “too simple” to carry viruses, however, can be great for hackers. They can use this false sense of security to sneak malware into a file that’s “too basic” to carry them. Recently, for example, there was a nasty spike of attacks as subtitles malware were being used to gain control of people’s computers.

Why Subtitle Files?

Getting a virus from a subtitle file seems very strange! After all, isn’t it just a file full of text?

While the subtitle file itself may not be able to do much damage, it can start a series of events that gives hackers access to someone’s computer. The main attack method for subtitle files is to act through a media player. Once installed, the subtitle file works through the media player when loaded to grant hackers access to the victim’s PC. Given how there are twenty-five different subtitle file types in use at the moment, media players have had to stretch themselves to fit every use case. This naturally leaves security holes that can be used.

Even worse, because subtitle files are highly trusted, the amount of security when parsing a subtitle file is very low. Not only are there flaws in the security, but should something take advantage of said flaws, there’s usually nothing there to stop it from taking control.

Due to the benign nature of subtitle files, antivirus software may totally fail to register the threat at all, making them a silent and effective means of gaining access to someone’s computer.

Who Does this Affect?


While there are a lot of lesser-known players out there that might be affected by this exploit, Checkpoint listed Popcorn, Kodi, VLC, and Stremio are popular video players that were vulnerable to this attack. As such, if you’ve used these players with downloaded subtitle files recently, you might want to perform a malware scan on your computer, especially if you haven’t updated the player in some time.

How Does the Attack Work?


In order for a hacker to get a subtitle file installed on a PC, they perform the following:

  1. First, they make or take a subtitle file that fits a popular movie, adding malicious code into it.
  2. They post the subtitles to a repository, which both people and software use to download and install subtitles.
  3. By abusing the rating system on said repositories, the hackers get their infected file boosted to the top of the list of subtitles as the most accurate subtitle file on the site.
  4. Users find the top-rated infected file and install it into their media players. This is done either manually by the user or by a user giving a command to a media player programmed to automatically locate and install the top-rated subtitle files on specific websites.
  5. Once run, the infected subtitle file grants hackers access to the victim’s PC.

If you’d like to see a somewhat scary demonstration of the hack in motion, watch the following video.

How Do I Avoid Subtitles Malware?


If you want to keep yourself safe, the solution may be very simple: check to see if your video player has updated itself to fix this issue. Now that the exploit has been found, the developers of the video players have worked on fixing it. Checkpoint reports that the four media players listed above already have patches available to fix this exploit, so make sure that your video players are up to date and running the latest version.

If you want to make sure you don’t fall for a future subtitle trap, be careful when downloading subtitle files. Never download a file that comes from a suspicious-looking website. On trusted websites you can keep yourself safe by looking for trustworthy subtitles. You’re looking for files that are both highly-rated and have been around the website for some time. You can sometimes tell how long a file has been around by its upload date, which some websites list in the details. Don’t rely on players automatically fetching subtitles, as they can be exploited to find and install malicious files.

Also, make sure to check if your media already comes with subtitles. Because the hack depends on downloaded subtitles, they cannot affect subtitles already bundled with physical media (DVDs, Blu-Ray) or streamed media (Netflix). If you use the subtitles that come with the movie, there’s no risk of a malware infection.

Sub-Par Subtitles

When files are “too basic” to carry viruses, it opens a potential door for hackers to exploit. Subtitle files have recently been used as an attack vector to control other people’s computers. By keeping video players up to date and staying savvy, you can avoid this particularly scary attack.

Do you download subtitles from websites? Does this attack make you more wary of using them? Let us know below.

Simon Batt
Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox