Beware of malicious Popcorn Time websites

In case you don’t want to read the whole thing:

  • Don’t download anything from popcorntime.ws as it most likely contains malware
  • Some download links in the Popcorn Time subreddit also pose a high risk
  • Popcorn Time CE YIFY (popcorntime.ag) appears to be clean
  • One of the Popcorn Time CE (popcorntimece.tk) installers has a weak positive
  • Time4popcorn installers look clean but iOS Installer tests positive (weak)

Since the official Popcorn Time website was shut down it’s been very difficult to keep track of what’s been going on. It didn’t take long for something new to come along and in a matter of weeks a new fork was out: Popcorn Time Community Edition (CE).

The Community Edition part of the name comes from how it came to life. Users love Popcorn Time so there’s a large community behind it and some of these happen to know their way around a computer. People started discovering  that it was still possible to use the software with a couple of fixes applied and ultimately someone came up with the great idea to include these in the installer. Popcorn Time Community Edition was born and soon thereafter it spread from Reddit where it was created and on to dedicated websites.

The Popcorn Time Community Edition has brought the official Popcorn Time service back to life.

The Popcorn Time Community Edition has brought the official Popcorn Time service back to life.

While it’s good to see that Popcorn Time can’t be killed it’s been quite confusing for most and the fact of the matter is that a lot of people want to download Popcorn Time but it’s hard to figure out where to get it and which versions are safe to download. The combination of a lot of interest and the shutdown of the official website has unfortunately not only brought us Popcorn Time CE but also a few websites trying to take advantage of the situation.

Scanning Popcorn Time installers

To examine the installer files for malware, virus etc. we downloaded and submitted them individually to a scan at virustotal.com. VirusTotal is a subsidiary of Google Inc. that can be used to scan files to detect viruses, malware, adware, works etc. which it does by aggregating no less than 61 online scan tools at once.

The scans included installer files for Windows, Mac OS X and Linux but not the Android apk files. While not exhaustive it should still provide a good idea of the trustworthiness of the source and if it can be considered safe to go forth with the installation.

Whether or not a positive scan (i.e. if the file contains something potentially nasty) is true or false can’t be readily determined by a VirusTotal scan; it only returns the results of the employed online scan tools. Even harmless files sometimes trigger false positive result and it’s therefore possible a clean and safe file comes back looking infected.

Another handy feature of VirusTotal is that it also provides a checksum for the files. The checksum is like the fingerprint of the file and can thus be used to determine if two files are identical or not. This comes in very handy when we’re trying to determine if a downloaded file is legit or not.

Popcorntime.ws

Popcorntime.ws currently sits at number three in a google search for “popcorn time” and how it got there is a mystery. It looks a lot like the other Popcorn Time websites and on the surface it seems like their version of Popcorn Time could be just as good as the next one. However, looking a bit in to what’s going on with that website it’s evident you should stay clear of it.

popcorntime.ws popcorn time malware

Popcorntime.ws looks legit on the surface but should be avoided due to high risk of getting infected with malware.

The download page contains a myriad of download links to “fixed Popcorn Time”, “Time4popcorn” and “Official Popcorn Time”. The website doesn’t host its own Popcorn Time fork but has built the website around the work of others. The “fixed Popcorn Time” is actually popcorntimece.tk, Time4popcorn is popcorn-time.se and Official Popcorn Time is popcorntime.io and the downloads offered have been copied from those websites.

While some of the files are identical to those on the websites where they were copied, some of them have apparently been altered which raises a big red flag. It’s easy to tell this by comparing the checksums for the files that have to be identical for the files to be. If the checksums differ something has been altered. If you take a look at the references, it’s the SHA256 values we’ve compared.

The altered files are:

  • Time4popcorn, Mac installer – reference a and b
  • Time4popcorn, Windows installer – reference c and d
  • Official Popcorn Time (popcorntime.io), Windows installer – reference e and f
  • Official Popcorn Time (popcorntime.io), Linux installer – reference g and h

Only the “Official Popcorn Time” Windows installer came back positive for malware (although only a weak indication) but the proof is in the pudding, or in this case the checksums, and it’s evident the files have been altered. It’s unclear what the alterations are, they might be totally harmless, but it seems very shady and there’s really no reason to take the chance and download Popcorn Time installers from popcorntime.ws.

When we scanned the files we got positive results for four different kinds of malware ( reference i, j and k):

  • Win32.SuspectCrc
  • Win32.Vobfus
  • Adware.BetterSurf.Win32.11678
  • QVM05.1.Malware.Gen

The results aren’t very strong as only a minority of the scanners gave positive results so it’s possible they’re false. There’s strong evidence it’s the case for Win32.Vobfus as VirusTotal also found it in the original Windows installer from popcorntime.io. All software from popcorntime.io was developed as open source and we’ve never heard any reports of users getting malware from the official fork. It thus seems very likely that one is a false positive.

However, it is still evident that popcorntime.ws is a shady site that should most definitely be avoided.

If you feel like helping out you can report it to Google here. If more people report it there’s a higher chance it’s going to be taken off Google search results.

/r/PopCornTime/

One of the most popular posts on Popcorn Time reddit page, /r/PopCornTime/, contains links to what’s supposedly the original official Popcorn Time installation files from popcorntime.io. At least that’s probably what someone would like us to think. At a first glance we noticed something odd; the links included an iOS version but popcorntime.io never released such an app, only time4popcorn did.

popcorn time ce reddit malware

The malware riddled installation files passed off as coming from the official Popcorn Time website popcorntime.io (click to enlarge).

This seemed a bit suspicious and when we took a closer look using VirusTotal it was clear the files are identical to those found on the popcorntime.ws website filed as “Official Popcorn Time”. While most of those proved to in fact be identical to the original installers from popcorntime.io we also saw by comparing checksums that a couple of them had been altered.

It seems unlikely that direct download links to these files have been added by mistake since there’s a link to a legit archive of popcorntime.io in the text in the preceding paragraph. If misleading the users isn’t the intention then why not just use download links from that resource?

Investigating the case a bit further still we came across a small file called PopcornTimeFix.exe which we also ran through VirusTotal and guess what? It came back positive for three accounts of malware: W32.HfsAtITPSINF.5E47, OpenCandy.j and BehavesLike.Win32.Generic.th. While the positives might be false it raises suspicion seen in context with the altered popcorntime.ws files.

It appears there’s a clear link between popcorntime.ws and someone in the admin group of /r/PopCornTime/ but to outsiders there’s no indication towards the details of the connection.

It’s not fair to dismiss the whole Popcorn Time subreddit as being fraudulent but it looks like the admins should pay attention to what’s being communicated and take the necessary steps of cleaning up the admin group.

Popcorntime.ag

Popcorntime.ag hosts one of Popcorn Time CE forks and when we scanned their installation files we didn’t find anything so it looks like they’re one of the few good guys out there. The software is built from the remains of popcorntime.io but they’ve already released their first beta and it works very well.

Visit popcorntime.ag

Popcorntimece.tk

Popcorntimece.tk is another Popcorn Time CE fork and while the Mac and Linux installers checked out with VirusTotal, the Windows installer came back positive for QVM05.1.Malware.Gen that apparently hijacks the browser where it displays ads.

If the positive is false or no remains untold so far but it’s been claimed on reddit it is indeed false and that the problem will be fixed for the release of the next beta but also that it can only be a true positive (See reddit thread).

Visit popcorntimece.tk

Time4popcorn

The Popcorn Time installer files all came back clean from VirusTotal (reference l, m, n, o and p) but the iOS Installer came back with positives for Win32.SuspectCrc and PE:Malware.Generic/QRS!1.9E2D [F].

Learn more about Time4popcorn

One Response

  1. João C.

Leave a comment or try the Q&A if you have a question.