Although Apple’s ’00s-era marketing suggested that its platform was essentially virus free, today that’s not really the case. Handbrake is the latest example of that, though it does seem like the developers quickly responded and have since cleared up the issue. They’ve also corresponded with Apple to see that OSX’s XProtect feature is aware of the malware and will keep its automated eyes open for it.
The trojan sneaked into the legitimate version of Handbrake through an infected download mirror server. From there it attached itself to Handbrake 1.0.7 and was downloaded by a number of users. According to the Handbrake team, around 50 percent of users who downloaded the software between May 2 and May 6 were routed to the infected server.
With that in mind, Apple is now urging all those who did download the software during that period to perform some checks to see if they have been affected. The first step is to look out for the process “Activity_agent.” If it’s found to be running, then your system is infected. Another way is to compare your download’s checksum hash with the one listed on the official forum post.
If it turns out you are infected with the trojan, there are a few steps to take to remove it. They involve running terminal commands, followed by the removal of any HandBrake.app installs you have. You can find the full list of commands on the Handbrake forum linked above.
Unfortunately, though, you shouldn’t stop there. Once you have confirmed removal of the malware, then you need to change your passwords. One of the tasks that the trojan performs is password thievery, so any passwords you may have used since you installed Handbrake should be changed, as well as any that reside in your OSX KeyChain and any stored in the browser.
It might be a pain in the neck, but it’s an important step to mitigate any damage that the Proton-inspired malware might do.
