If you downloaded the Mac version of popular video converter Handbrake last week, your computer may be infected with a trojan. The developers behind the open source app have issued a security warning to Mac users after a mirror download server (download.handbrake.fr) hosting the software was hacked, replacing the HandBrake-1.0.7.dmg file for an infected one.
The malicious file was up between 14:30 UTC May 2 and 11:00 UTC May 6. “You have 50/50 chance if you've downloaded HandBrake during this period," the developer warns. The malware in question is a new variant of OSX.PROTON, a Mac-based remote access trojan that gives the attacker root-access privileges, allowing them to perform all kinds of actions, from viewing the screen in real time and recording keystrokes, to uploading your files, downloading additional malware, accessing the webcam, and more.
If you downloaded the video transcoding software during the reported timeframe, the easiest way to confirm if you’re infected is by launching Activity Monitor from Applications/Utilities and looking for a process called “activity_agent”. If it’s there then your system is infected.
Apple updated its macOS security software XProtect in February to defend against the original Proton malware, and begun rolling out new definitions over the weekend to detect the new variant as well.
Deleting the infected files manually is also relatively straightforward. All you need to do is open up the “Terminal” application and run the following commands:
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf ~/Library/RenderFiles/activity_agent.app
HandBrake recommends checking the ~/Library/VideoFrameworks folder for the presence of a file called “proton.zip” and deleting the entire VideoFrameworks directory if found. You should also delete the infected HandBrake.dmg file and reinstall from a clean source.
While that should take care of the original infection, users should run additional malware detection software in case anything else has already been downloaded to your system, and change all the passwords in their macOS Keychain as well as any of the passwords they saved in their browsers.