Popular video-encoding Mac app HandBrake compromised with malware

The creators of media transcoding program HandBrake have issued a statement warning that certain downloads of the installer for the Mac version of the app may contain a Trojan virus.

Downloading the app between May 2 (14:30 UTC) and May 6 (11:00 UTC) from the “download.handbrake.fr” mirror means you have a 50-percent chance of being infected with the Trojan. Automatically updated apps (using updater version 1.0 and above), and files downloaded from the primary mirror are unaffected.

Diagnosis

The attackers replaced the usual HandBrake installer file, titled ‘HandBrake-1.0.7.dmg’, with a version that also contained the Trojan virus, so checking if you have this file on your system and seeing when it was downloaded is the first step to identifying the threat.

If you have downloaded the installer during the specified time window, you can check if you’ve inadvertently installed the malware by opening your Mac’s Activity Monitor application and seeing if you have a process called “Activity_agent”. If so, you are infected.

If you still have the installer file, you can also check if it has either of the following checksums, which likewise indicate that it contains the Trojan.

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274

SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

For a step-by-step on determining a file’s checksums, check out this how-to.

Removal

Removing the malware is thankfully quite simple. Open the Terminal by searching for it in the Launchpad and type the following commands (without the bullet point), hitting enter after each line.

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

Once you’ve done this, open your Applications folder and remove any instances of Handbrake.app there (or any other locations you may have installed it to).

Because this Trojan targets passwords and sensitive information, if you’ve been infected it’s recommended you change all passwords that are stored in Apple’s macOS KeyChain or any similar password-storing services, such as browser-based password stores. Note that deleting passwords from these services isn’t sufficient — you’ll need to actually change each password that has been stored in one of these locations, as they could have already been sent to the Trojan’s creators.