appleinsider logo
Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

HandBrake for Mac developers warn of potential trojan installation following server breach

Mac users of HandBrake who downloaded the open source video transcoder since May 2 could have put their data at risk, after developers warned one of the mirror servers used to distribute the software had been hacked.

A post on the HandBrake forum reports files from the mirror between May 2 and May 6 were compromised, with the tool replaced by a malicious file containing a trojan capable of providing root access . Anyone who has installed HandBrake for Mac in this period is asked to verify their system is not infected with the trojan, with the developers suggesting users have a "50/50 chance" of being a victim if they did download the tool.

The file in question, HandBrake-1.0.7.dmg, was replaced by a malicious file that does not match the SHA1 and SHA256 hashes of the original file, with users advised to verify the checksum of the file before running it. Another way to check for an infection is to search for a process called "Activity_agent" in the Activity Monitor.

The same HandBrake forum post advises of commands to run in Terminal to combat the trojan, if an infection has occurred, as well as the removal of any HandBrake installations before starting from scratch. It is also advised that affected users should also change their passwords in the OSX KeyChain, as well as any stored in browsers.

HandBrake's developers have been informed that Apple is updating the definitions for XProtect as of May 6 to help combat the infection, with the new definitions rolling out to Mac desktops automatically.

Only one mirror hosted the infected file, which has been shut down for investigation, while the primary download mirror and the project website remain unaffected. Users who update via the built-in updater in version 1.0 or later are protected by DSA Signature verification, though those who used the updater in version 0.10.5 or earlier are still at risk of infection.

The malware is identified as OSX/Proton.A, a variant of the Proton trojan that surfaced in March being sold on Russian cybercrime forums, priced at $50,000. An infection of this trojan leaves the system open to a number of different potential actions by hackers, including keystroke logging, file uploads and downloads, taking screenshots and photos from webcams, and SSH and VNC connectivity.

Macs are generally considered to be more resilient to attacks than Windows systems, but the frequency of malware reports aimed at Mac users is slowly increasing, partly due to the popularity of the platform in security-minded fields. Members of the U.S. defense industry and human rights advocates were targets for an attack by the "MacDownloader" malware in February, disguised as a Flash Player Update.

Also in February was the discovery of an auto-running macro in a Word document, a revival of an old technique used to infect Windows systems, this time used against Macs. Later that same month, a Russian hacking group accused of interfering with the 2016 U.S. presidential elections was found to have updated the "Xagent" malware package, adding Macs to its roster of potential targets.

In April, the "Dok" malware was said to be the first "major scale" malware aimed at Mac owners via a "coordinated email phishing campaign," with the malware notably using a signed Apple developer certificate to bypass Apple's Gatekeeper protection. Earlier this month, it was discovered the "Snake" malware used to attack Windows users has been ported to Mac.