This has turned out to be a very harsh period for both Mac developers, and its users as well. In the last few months, many issues concerning Mac’s security have risen. First, there was a Trojan that seemed to only be spreading on the Macs that belonged to the European users, and that was the first of its kind. And now another, similar, problem has appeared, and this time it’s the malware infection. And not the regular, wondering malware that might strike you via infected email that the users might watch out for, no. This time, it’s the most prominent app used for video transcoding on Mac.
A statement was recently issued by the developers of the transcoding software called ‘Handbrake’. In this statement, the developers have warned that anyone who decided to download this software between May 2 and May 6 has around half of chance to have an infected program on their hands. Even if you’ve downloaded it before these dates, you should probably still check out your device, just to be safe.
The alert also states that the file used for the installing the program, that was located on the mirror server, was in fact replaced by an infected file. This malware has turned out to be a variant of OSX.PROTON. Basically, it gives the attacker that left it to be downloaded a root access privileges to any system it infects. Apple has already issued an update that battles the original malware back in February, and now, they’re working on this version’s update as well.
You can also find and remove the malware manually, and here’s the short guide that’ll show you how to:
You might see a process that’s called “Activity_agent” in the Activity Monitor app. If you do, your device is infected. In fact, you’re also infected if you’ve installed a HandBrake that has these checksums:
- SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
- SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793
You can remove it by yourself, manually, All you need to do is open the Terminal app, and run these commands:
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plistrm -rf ~/Library/RenderFiles/activity_agent.appif ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
Also, you should remove any installs of the HandBrake app that you might have remaining on your device.
Just to be safe, it would probably be a good idea to change all of the passwords that you have stored in your browser or OS X keychains. You never know whether the attacker has made his move and if your credentials are now in his possession.