If you like converting your movies and videos to other formats to view on your portable gadgets, you are most likely familiar with this free video transcoding software Handbrake. It’s the go-to tool for many a Mac and Windows user for making videos compatible with just about anything. It’s that popular!
However, if you have downloaded Handbrake on a Mac between May 2 and May 6, there’s a chance you may have infected your machine with malware instead.
According to Handbrake’s security warning, hackers have replaced the HandBrake-1.0.7.dmg installer in one of its download mirror servers with a trojan application.
The affected mirror server was named as download.handbrake.fr and has already been shut down for investigation.
The malware appears to be a remote-access trojan, which allows hackers to take complete control of your Mac and steal passwords and credentials as well.
Handbrake warned that “anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1/256 sum of the file before running it.”
“Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan,” the warning continued. “You have [a] 50/50 chance if you’ve downloaded HandBrake during this period.”
For your safety, if you have installed Handbrake during the said time period, open your Mac’s Activity Monitor and check if you have a running process called “Activity_agent.”
“Activity_agent” is actually the trojan! If you have this process then your machine is infected. Handbrake said that it is a new variant of the spying malware OSX.PROTON.
To remove this dangerous trojan, open a Terminal window (Terminal is in the same folder as Activity Monitor) then copy and paste these three commands: (Hit return after each command to execute)
launch unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf ~/Library/RenderFiles/activity_agent.app
If the last command, ~/Library/VideoFrameworks/, shows that a proton.zip file exists, delete the file by running this command:
rm -rf ~/Library/VideoFrameworks/proton.zip
After running these commands sequentially, proceed to remove any “Handbrake.app” instance on your Applications folder by moving it to Trash.
Handbrake also stated that Apple has started to issue a Mac XProtect update this morning to protect against this latest OSX.PROTON variant so update it as soon as you can.
If your machine has been infected with “Activity_agent” and the OSX.PROTON trojan, it is highly recommended that you change all your passwords stored in your macOS Keychain and credentials stored in web browsers as well.
To see what accounts are in your Keychain, open the Keychain app (access it from the same “Utilities” folder where Activity Monitor and Terminal resides) then change the password for each account.
To view passwords saved in Safari, click on “Safari” on the top-left menu bar while Safari is open, then select Preferences >> Passwords.
On Chrome, paste this into your address bar: “chrome://settings/passwords” (without the quotes) to view all your saved passwords.
Firefox users can paste “about:preferences#security” (without quotes) in the address bar then click on “Saved Logins” to view your saved credentials.