HandBrake for Mac warning: Server breach may expose users to trojan installation

Beware of Malware

HandBrake for Mac compromised 

The popular open source video transcoder HandBrake is a favorite for Mac users who use it to rip DVDs for use on iPhones or Macs, but if you've downloaded it since May 2nd, the app may have installed malware on your computer.

The download.handbrake.fr mirror server was hacked, and files from that server that were downloaded between May 2 - 6 were compromised. The app was replaced with a trojan version that installed malware called OSX/Proton.A. This malware opens an infected system to such things as keystroke logging, file uploads and downloads without the knowledge of the user, taking screenshots or photos from webcams, and even SSH and VNC connectivity. If you guessed that the malware came from Russia, you're right - this malware is a variant of the Proton trojan that was being sold on Russian cybercrime forums for $50,000. 

If you downloaded and installed HandBrake for Mac (file name HandBrake-1.0.7.dmg), you're asked to verify that your system is not infected. One quick way to see if it is on your Mac is to look for a process named "Activity_agent" in the Activity Monitor app found in the Utilities folder. 

If it is found on your Mac, removal is quite simple from the Terminal app (from forum.handbrake.fr):

Open up the "Terminal" application and run the following commands:

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf ~/Library/RenderFiles/activity_agent.app

if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder, then Remove any "HandBrake.app" installs you may have.

The developers also note that Apple is updating the definitions for the OS X/macOS XProtect feature and will be automatically loaded onto Macs.