This article was published on May 8, 2017

HandBrake reminds all of us that Macs aren’t immune from malware


HandBrake reminds all of us that Macs aren’t immune from malware
Bryan Clark
Story by

Bryan Clark

Former Managing Editor, TNW

Bryan is a freelance journalist. Bryan is a freelance journalist.

HandBrake’s developers are warning Mac users about a possible malware infection after downloading the popular video transcoding app. The dev team spotted the issue Saturday, and note users who downloaded the app between 14:30 (UTC) on May 2 and 11:00 (UTC) on My 6 have a 50/50 chance of infection.

The malware is a variant of OSX.PROTON, a remote access tool (RAT) sold on cybercrime forums all over the web. The RAT has the typical feature set of other RAT programs, including keylogging, remote access (including root access), the ability to grab screen shots, steal files, or execute shell commands.

To obtain admin privileges, it needs your password, which many unknowing downloaders provided under the guise of downloading additional video codecs.

Fortunately, it’s relatively easy to spot. Just open macOS Activity Montior and search for ‘Activity_agent’. If you see the search term, you’re infected. To remove, just open Terminal and run the following commands:

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

And it should go without saying that you should delete HandBrake, only re-installing after completing the steps above.