It will not only dump the malware onto the desktop, it will also provide the necessary notification to the attacker, while making sure that users of video players such as Popcorn Time and VLC will be affected. Each of the media players found to be vulnerable to date has millions of users, and we believe other media players could be vulnerable to similar attacks as well.

Subtitle files for movies and televisions can be created by a range of writers and uploaded to online repositories, such as OpenSubtitles.org.

The players expect subtitle files to contain text only, so most do not look to see if anything malicious has been inserted instead, said the security firm.

By conducting attacks through subtitles, hackers can take complete control over any device running them. To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities.

“This fragmented ecosystem, along with limited security, means there are multiple vulnerabilities that could be exploited, making it a hugely attractive target for attackers”. The attackers create harmful sub-title files in connection with TV programs and films that viewers subsequently download giving the former hope for gaining full hold over any computer system on which the vulnerable services are running.

The researchers found the bugs by analysing how the VLC, Kodi, Popcorn Time and Strem.io media players handle subtitle files. It turns out that older versions of these bits of software are all open to an easily accessed vulnerability, which uses subtitle files to execute malicious code. The researchers followed the responsible disclosure guidelines and reported all vulnerabilities and exploits to the developers of the vulnerable media players. And while Stremio and VLC have issued patches for their players, Popcorn Time and Kodi too released theirs. “To protect themselves and minimize the risk of possible attacks, users should ensure they update their streaming players to the latest versions”, Herscovici adds.

Researchers also state that VLC has reached more than 170 million downloads and Kodi (XBMC) has more than 10 million. Kodi (XBMC) has reached over 10-million unique users per day, and almost 40-million unique users per month.