If you downloaded HandBrake for Mac last week, it would be wise to check if your computer has been compromised by the trojan that was bundled into the software.
HandBrake Download Link Infected With Trojan
According to a post on the official HandBrake forums, hackers compromised one of the download mirrors under download.handbrake.fr. The official software of HandBrake for Mac was replaced with a version that contained a trojan capable of giving the hackers root access to computers.
An analysis by Synack's director of security research Patrick Wardle revealed that the compromised version of HandBrake for Mac contained an updated version of the Proton malware. Similar to other trojans, the one that came with the infected app is capable of giving hackers the ability to execute shell commands as root on Mac computers. Hackers would have also been able to access the infected devices remotely, as well as carry out keylogging tasks, acquire images captured by paired webcams, and steal stored files and documents.
The infected version of HandBrake for Mac was up from May 2, 2:30 p.m. UTC until May 6, 11:00 a.m. UTC, when the compromised download mirror was removed after being discovered. According to HandBrake's developers, users who downloaded HandBrake for Mac during this period have a 50/50 chance of having their computers compromised.
The infected download mirror was one of the two servers used for the distribution of the app, specifically HandBrake-1.0.7.dmg. The primary download mirror and the official website of HandBrake were not compromised.
Users who upgraded the version of HandBrake on their Mac computer from 1.0 or later to 1.0.7 should not be affected, as the update system will not have accepted the compromised file. However, for users on version 0.10.5 and earlier who used the app's updater might be affected.
How To Check If Your Mac Is Infected By The HandBrake Trojan
The trojan bundled into HandBrake for Mac installs into computers as a program named activity_agent.app, with a launch agent named fr.handbrake.activity_agent.plist that runs it whenever a user logs in.
An easy way to check if a Mac has been infected with the malware is to open the Activity Monitor and look for a process named Activity_Agent. If that is present, the computer is compromised.
Users are then directed to run these commands in the Terminal application:
* launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
* rm -rf ~/Library/RenderFiles/activity_agent.app
* if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
Afterward, users should remove all installations of HandBrake.app on their Mac to complete the removal of the trojan. Users are also instructed to change the passwords stored in their browsers and in the OS X KeyChain feature.
One of the main directives in avoiding malware is to only download from trusted websites. For this case, that did not help at all, and HandBrake's developers are still investigating how hackers were able to compromise one of the software's download mirrors. In the meantime, HandBrake will be rebuilding the infected server from scratch.