HandBrake is an open-source and free transcoder for digital video files. It makes ripping a film from a DVD to a data storage device such as NAS boxes easier. HandBrake works Linux, macOS, and Windows. A Recent version of Handbrake for Mac and possibly other downloads at the same site infected with malware. If you have downloaded HandBrake on Mac between 2/May/2017 and 06/May/2017, you need to delete the file ASAP. HandBrake infected with a new variant of OSX.PROTON malware.
- HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes on our website or on our Github Wiki which mirrors these: https://github.com/HandBrake/HandBrake/wiki/Checksums
- The Affected Download mirror (download.handbrake.fr) has been shutdown for investigation.
- The Primary Download Mirror and website were unaffected.
- Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don’t pass.
- Downloads via the applications built-in updater with 0.10.5 and earlier did not have verification so you should check your system with these older releases
How do I find out if my macOS was compromised?
From the official forum:
If you see a process called “Activity_agent” in the OSX Activity Monitor application. You are infected. For reference, if you’ve installed a HandBrake.dmg with the following checksums, you will also be infected:
The Trojan in question is a new variant of OSX.PROTON
How do I remove it?
Open up the “Terminal” application and run the following commands:
$ launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
$ rm -rf ~/Library/RenderFiles/activity_agent.app
if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder. Then Remove any “HandBrake.app” installs you may have.
Connection between Transmission’s malware hack
It seems that the author/developer of Transmission and Handbrake are the same people. In past Transmission’s download being replaced with infected malware too. Coincidence? I don’t think so.
For more info see: