Apps

Handbrake Video Encoding Software for Mac Downloads Compromised by Malware

The developers of must-have open source video transcoding app Handbrake have issued a security warning to Mac users. A mirror download server hosting the software was hacked and the installer file for Handbrake 1.0.7 was replaced by a malware infected file.

The original Handbrake 1.0.7.dmg installer file on mirror server download.handbrake.fr was replaced by the malicious code, leading to the developers issuing the warning on Saturday.

Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it.

Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you’ve downloaded HandBrake during this period.

Detection

If you see a process called “Activity_agent” in the OSX Activity Monitor application. You are infected.

For reference, if you’ve installed a HandBrake.dmg with the following checksums, you will also be infected:

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

The Trojan in question is a new variant of OSX.PROTON

To remove the malware, open up the “Terminal” application and run the following commands:

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

Then, remove any “HandBrake.app” installs you may have on your Mac. The developers say users must also change all the passwords that may reside in their OS X KeyChain or any browser password stores.

Handbrake developers say they have been informed by Apple that the process to update the definitions for OSX’s XProtect feature started Sunday morning, and should start rolling out to machines automatically very soon.

Chris Hauk

Chris is a Senior Editor at Mactrast. He lives somewhere in the deep Southern part of America, and yes, he has to pump in both sunshine and the Internet.