Handbrake , one of the most prominent video transcoding apps for Mac has a malware problem. One of the mirror sites to download the Handbrake has been compromised by hackers.
The developers of the Handbrake have issued a statement that warns one of the mirror sites to download the software has been compromised by hackers. The post explains that anyone who has downloaded the software between May 2nd and 6th of this year has a 50/50 chance of being infected. The installer file on the mirror server download.handbrake.fr (HandBrake-1.0.7.dmg) was replaced by a malicious file. The malware is a variant of OSX.PROTON, it gives a hacker root access privileges to the system.
Back in February, Apple had to issue an update to XProtect to account for the original Proton and on Saturday, the company began the process of updating for the this latest variant. It should automatically download for most users.
How to detect it:
If you see a process called “Activity_agent” in the OSX Activity Monitor application. You are infected.
For reference, if you’ve installed a HandBrake.dmg with the following checksums, you will also be infected:
The Trojan in question is a new variant of OSX.PROTON
How to Remove it:
Open up the “Terminal” application and run the following commands:
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plistrm -rf ~/Library/RenderFiles/activity_agent.appif ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
Then Remove any “HandBrake.app” installs you may have.