Downloading the app between May 2 (14:30 UTC) and May 6 (11:00 UTC) from the “download.handbrake.fr” mirror means you have a 50-percent chance of being infected with the Trojan. Automatically updated apps (using updater version 1.0 and above), and files downloaded from the primary mirror are unaffected.
The attackers replaced the usual HandBrake installer file, titled ‘HandBrake-1.0.7.dmg’, with a version that also contained the Trojan virus, so checking if you have this file on your system and seeing when it was downloaded is the first step to identifying the threat.
If you have downloaded the installer during the specified time window, you can check if you’ve inadvertently installed the malware by opening your Mac’s Activity Monitor application and seeing if you have a process called “Activity_agent”. If so, you are infected.
If you still have the installer file, you can also check if it has either of the following checksums, which likewise indicate that it contains the Trojan.
For a step-by-step on determining a file’s checksums, check out this how-to.
Removing the malware is thankfully quite simple. Open the Terminal by searching for it in the Launchpad and type the following commands (without the bullet point), hitting enter after each line.
- launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
- rm -rf ~/Library/RenderFiles/activity_agent.app
- if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
Once you’ve done this, open your Applications folder and remove any instances of Handbrake.app there (or any other locations you may have installed it to).
Because this Trojan targets passwords and sensitive information, if you’ve been infected it’s recommended you change all passwords that are stored in Apple’s macOS KeyChain or any similar password-storing services, such as browser-based password stores. Note that deleting passwords from these services isn’t sufficient — you’ll need to actually change each password that has been stored in one of these locations, as they could have already been sent to the Trojan’s creators.
- This isn't the first time Mac Malware has slipped past Apple's security