With the awareness of the malware infections growing constantly, and also pretty rapidly, especially lately, the hackers have decided that it’s time for different tactics. Instead of creating new malware that could potentially be downloaded, someone out there decided to play it safe and infect legitimate software, some that’s sure to be used. This way, the real, approved apps, and programs are now becoming the sources of malicious codes. And the latest example happened just last week, with the popular program used for DVD-ripping and transcoding. We’re, of course, talking about HandBrake, an open-source program, that was now found to be carrying the OSX.Proton malware.
It’s obvious that HandBrake didn’t make a mistake here, but instead, someone managed to hack their website. After doing that, the copy of the real program was simply replaced by an infected one, and all that’s left to do is wait for people to download it.
When downloaded and installed, the infected copy will ask for administrator privileges, which is something that the real one doesn’t even need. This is the sign that you’re dealing with the malware. However, the Mac usually has a pretty good security, which in turn lead to its users not used to suspicious requests like this. If the credentials are given, the Mac is officially compromised.
When it comes to the website, it removed the fake copy and posted a real one once again, which means that the app is now safe to download and use. However, there’s still the fact that a lot of users have downloaded the infected one, and their Mac could be infected right now. A lot of websites that offer some kind of software usually have checksums, so that you can make sure that you’re downloading the same thing that authors posted. On the other hand, in this case, the entire website was hacked, and the checksums could be changed by the hacker as well.
What this all means that HandBrake needs to discover how exactly did the hacker manage to breach the system. If they don’t, there’s no confirmation that the hacker won’t simply swap the real app with the fake one once again.
As for the malware itself, it’s called OSX.Proton, and it’s known to be one of the malware that works by installing a backdoor on infected devices. There’s a chunk of good news here as well, and that is that the malware itself seems to be pretty unreliable and filled with bugs of its own. It can’t even install the payload properly. After ‘Transmission’, one of the BitTorrent clients, ‘HandBrake’ is the second app by the same company that’s hacked in this particular way.