This is one of those things discovered by security researchers, rather than being found because some criminal group was actively using it. BUT, now that it's been published, you can pretty much bet that some bad guys are gonna look closely at it.
The overall weakness is that there's no standard way to handle subtitles outside of the DVD & Blu-ray formats. VLC does it one way, Kodi another, & I assume, each of the Android media players has their own way of doing things.
threatpost[.]com/subtitle-hack-leaves-200-million-vulnerable-to-remote-code-execution/125868/