- Apr 21, 2016
- 4,367
Mac users who downloaded the HandBrake video file-transcoding app over the past week have a high chance of having downloaded a Proton-infected tool instead. This undetectable Mac malware was discovered a couple of months ago and has become quite prolific since then.
The new malware warning for Mac users of HandBrake comes after it was discovered that a mirror download server was hacked and the app replaced with malware.
The security warning was released over the weekend on HandBrake's forums where the post mentions that anyone who has downloaded HandBrake on Mac between May 2, 14:30 UTC and May 6, 11:00 UTC needs to verify the SHA1 / 256 sum of the file before running it and run a system check to see if they've been infected with a Trojan. According to the company, there's a 50/50 chance of having been infected if you've downloaded the app during this period.
"If you see a process called 'Activity_agent' in the OSX Activity Monitor application. You are infected. For reference, if you've installed a HandBrake.dmg with the following checksums, you will also be infected:
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793," the announcement reads.
In order to remove the malware, you have to open up the Terminal application and run several commands:
Then, you have to remove any "Handbrake.app" installs that may be on the device. It is advisable that, following the malware removal, you change all the passwords that may reside in your OSX KeyChain or any browser password stores.
Read more: Mac Malware Proton Surfaces Again After HandBrake Mirror Download Server Hacked
The new malware warning for Mac users of HandBrake comes after it was discovered that a mirror download server was hacked and the app replaced with malware.
The security warning was released over the weekend on HandBrake's forums where the post mentions that anyone who has downloaded HandBrake on Mac between May 2, 14:30 UTC and May 6, 11:00 UTC needs to verify the SHA1 / 256 sum of the file before running it and run a system check to see if they've been infected with a Trojan. According to the company, there's a 50/50 chance of having been infected if you've downloaded the app during this period.
"If you see a process called 'Activity_agent' in the OSX Activity Monitor application. You are infected. For reference, if you've installed a HandBrake.dmg with the following checksums, you will also be infected:
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793," the announcement reads.
In order to remove the malware, you have to open up the Terminal application and run several commands:
Code:
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf ~/Library/RenderFiles/activity_agent.app
if ~/Library/VideoFrameworks/ contains proton.zip, remove the folderThen, you have to remove any "Handbrake.app" installs that may be on the device. It is advisable that, following the malware removal, you change all the passwords that may reside in your OSX KeyChain or any browser password stores.
Read more: Mac Malware Proton Surfaces Again After HandBrake Mirror Download Server Hacked
