HandBrake is an often-used free tool for editing and converting video files on macOS machines, but anyone who downloaded it last week may have unwittingly infected their Macs with malware. Online criminals replaced the HandBrake installer with the Proton remote-access Trojan (RAT), which gains complete control of your system and can also steal passwords stored on your Mac.
Credit: Tolikoff Photography/Shutterstock
On Saturday (May 6) HandBrake’s developers posted a note on their forums explaining that those who downloaded the program from a specific mirror server between May 2 and May 6 “have [a] 50/50 chance” of being infected by the RAT. That mirror server, download.handbrake.fr, had been compromised.
MacRumors forum poster Gannet described how the malware tried to infect his computer. As is often the case with Mac malware, user assistance is requires for the attack to succeed: The phony installer attempts to gain full-system control by asking for your username and password to “install additional codecs.” This serves as a reminder to always think critically when you get a system prompt for your password, but on the other hand, it’s precisely what you’d expect the genuine HandBrake installer to do.
The infected downloadable disk image, HandBrake-1.0.7.dmg, was replaced by a malicious file that uses a variant of the OSX.PROTON malware. While it’s easy to remove this malware, affected users face a bigger problem with their passwords. The malware has access to login credentials stored in the macOS KeyChain app, as well as to passwords stored by web browsers. (We recommend that users not let browsers store sensitive passwords.)
How to tell if you’re infected, and what to do
First, open the Activity Monitor app on your Mac, which is stored in the Utilities folder of the Applications directory. If you see a listed process named “Activity_agent”, we’re sorry, you’re infected.