Popular Mac App Developers Issue Urgent Malware Warning

Image source: Apple

It’s been a rough week in Mac security. First, Checkpoint warned users of a Trojan spreading in Europe that was the first of its kind. And now, one of the most prominent video transcoding apps for Mac has a malware problem.

[referenced url=”https://www.gizmodo.com.au/2016/08/mac-bittorrent-client-transmission-gets-infected-with-malware-again/” thumb=”https://i.kinja-img.com/gawker-media/image/upload/t_ku-large/tlsbgm60uklsoebtxxu0.jpg” title=”Mac BitTorrent Client Transmission Gets Infected With Malware Again” excerpt=”For the second time in five months, the Transmission BitTorrent client for Mac has been infected with malware.”]

The developers of the transcoding software Handbrake have issued a statement that warns one of the mirror sites to download the software has been compromised by hackers. The post explains that anyone who has downloaded the software between May 2nd and 6th of this year has a 50/50 chance of being infected. But, it’s probably a good idea just to double check if you’ve downloaded it anytime recently.

According to yesterday’s alert, the installer file on the mirror server download.handbrake.fr (HandBrake-1.0.7.dmg) was replaced by a malicious file. The malware is a variant of OSX.PROTON, it gives a hacker root access privileges to the system. Back in February, Apple had to issue an update to XProtect to account for the original Proton and on Saturday, the company began the process of updating for the this latest variant. It should automatically download for most users.

Here’s how to detect and remove it:

Detection

If you see a process called “Activity_agent” in the OSX Activity Monitor application. You are infected.

For reference, if you’ve installed a HandBrake.dmg with the following checksums, you will also be infected:

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274

SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

The Trojan in question is a new variant of OSX.PROTON

Removal

Open up the “Terminal” application and run the following commands:

launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plistrm -rf ~/Library/RenderFiles/activity_agent.appif ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

Then Remove any “HandBrake.app” installs you may have.

For the sake of precaution, users should change passwords stored in any OSX or browser keychains. While primary mirror site and the automatic updater on versions 1.0 or later weren’t affected, anyone who uses Handbrake should just make sure.

[Handbrake via MacRumors]


The Cheapest NBN 50 Plans

Here are the cheapest plans available for Australia’s most popular NBN speed tier.

At Lifehacker, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.

Comments


One response to “Popular Mac App Developers Issue Urgent Malware Warning”