HandBrake’s developers are warning Mac users about a possible malware infection after downloading the popular video transcoding app. The dev team spotted the issue Saturday, and note users who downloaded the app between 14:30 (UTC) on May 2 and 11:00 (UTC) on My 6 have a 50/50 chance of infection.
The malware is a variant of OSX.PROTON, a remote access tool (RAT) sold on cybercrime forums all over the web. The RAT has the typical feature set of other RAT programs, including keylogging, remote access (including root access), the ability to grab screen shots, steal files, or execute shell commands.
To obtain admin privileges, it needs your password, which many unknowing downloaders provided under the guise of downloading additional video codecs.
Fortunately, it’s relatively easy to spot. Just open macOS Activity Montior and search for ‘Activity_agent’. If you see the search term, you’re infected. To remove, just open Terminal and run the following commands:
- launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
- rm -rf ~/Library/RenderFiles/activity_agent.app
- if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
And it should go without saying that you should delete HandBrake, only re-installing after completing the steps above.