HandbrakeThe developers of open source video transcoder app Handbrake have issued a security warning to Mac users after a mirror download server hosting the software was hacked.

The alert was issued on Saturday after it was discovered that the original HandBrake-1.0.7.dmg installer file on mirror server download.handbrake.fr had been replaced by a malicious file.

The affected server has been shut down for investigation, but developers are warning that users who downloaded the software from the server between 14:30 UTC May 2 and 11:00 UTC May 6 have a 50/50 chance of their system being infected by a trojan. "If you see a process called 'Activity_agent' in the OS X Activity Monitor application, you are infected," read the alert.

To remove the malware from an infected computer, users need to open up the Terminal application and run the following commands:

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

Users should then remove any installs of the Handbrake.app they have on their system. As an extra security recommendation, users should also change all the passwords that may reside in their OSX KeyChain or in any browser password stores.

The malware in question is a new variant of OSX.PROTON, a Mac-based remote access trojan that gives the attacker root-access privileges. Apple updated its macOS security software XProtect in February to defend against the original Proton malware. Apple initiated the process to update its XProtect definitions on Saturday and the update should already be rolling out to machines silently and automatically.

Handbrake users should note that the primary download mirror and the Handbrake website were unaffected by the hack. Downloads via the application's built-in updater with 1.0 and later are also unaffected, since these are verified by a DSA Signature and won't install if they don't pass. However, users with Handbrake 0.10.5 and earlier who used the application's built-in updater should check their system, as these versions don't have the verification feature.

For reference, HandBrake.dmg files with the following checksums are infected:
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274 / SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

(Thanks, Alfonso!)

Top Rated Comments

Quu Avatar
83 months ago
These developers really need to setup a deamon of sorts which tests the SHA1 hash of these binaries every few hours or release their wares on the App Store.
Score: 7 Votes (Like | Disagree)
loby Avatar
83 months ago
The app is one of the best out there. I use it almost daily.
This is a great app and I too use it quite often.

It amazes me how people quickly complain and comment negatively on an open source "free" software that they don't have to pay anything for. Give them a break. This is not apple with unlimited resources and employees with high paying salaries who are expected to have everything protected and secure and perfect. They don't get paid. They were quick to reveal the issue and not hide anything.

Complainers either don't write code, or if you do, you are doing it for money. They are not. Those who use their software appreciate their hard work and appreciate their honesty to reveal the issue quickly and not hide anything so we can fix the issue on our side. This stuff happens occasionally. If you paid for the software, then "yeah"..complain. They have limited resources, so give them a break as they work hard to resolve the issue. I am sure someone had no sleep trying to quickly fix the problem and then have to go to their day job after, just to fix a free program that they offer to the world to use.

Appreciate the open source community that gives us a great program. Thanks for informing us right away so we can protect our systems and continue to use handbrake.
Score: 5 Votes (Like | Disagree)
Quu Avatar
83 months ago
Isn't Apple's code signing supposed to protect against this? Or are they not signing their builds? Or did their key get stolen?
[doublepost=1494153907][/doublepost]
No need for that exactly. Registered Mac developers can sign their code and distribute it anywhere. Most seem to do that.
That isn't secure enough because any developer can register for $99 (and the malware authors do too) then they just re-sign their new binary with the bought certificate and as-long as no one notices it will fly under the radar.

The developers themselves need to maintain hashes are correct.
Score: 5 Votes (Like | Disagree)
bladerunner2000 Avatar
83 months ago
Guess it's an indication that using the tool won't make any sense either... fair game.
The app is one of the best out there. I use it almost daily.
Score: 4 Votes (Like | Disagree)
Gannet Avatar
83 months ago
Handbrake is an excellent program that has served me well over the years and I have great respect for the developers. Security slip-ups can happen to anyone and I'm sure they will take the necessary measures to improve this for future.

That said, I'm posting because I nearly got caught by this. I download Handbrake last week and was surprised to see a dialog on launch asking me to enter my password to "install additional codecs". As a longtime Handbrake user I was certain that this was *not* normal, so I declined. Shortly afterword I was shown another dialog, independent from Handbrake, purporting to be from the system "Network Configuration" which needed my password to "update DHCP settings". As this was also something I was unfamiliar with, I again declined but the dialog immediately reappeared upon clicking cancel and I had to restart the computer to make it go away. So yeah, if you see any suspicious password dialogs, do NOT enter your password.

Attachment Image
Score: 4 Votes (Like | Disagree)
cashinstinct Avatar
83 months ago
Many developpers would have simply not said anything.

I applaud them for telling it like it is, and finding solutions.

Pretty sure many apps are affected by such issues, but either they don't find out / don't say to their users.
Score: 4 Votes (Like | Disagree)

Popular Stories

iPhone 15 Pro Lineup Feature

iPhone 15 Models Feature New Setting to Strictly Prevent Charging Beyond 80%

Tuesday September 19, 2023 2:04 pm PDT by
All of the iPhone 15 and iPhone 15 Pro models feature a new battery health setting that prevents the devices from charging beyond 80% at all times when enabled, as confirmed by The Verge's Allison Johnson during a Q&A session today. The new setting is separate from the pre-existing Optimized Battery Charging feature on iPhones, which intelligently delays charging past 80% until a more...
iOS 17 and iPhones Feature

iOS 17: 10 New Features That Just Launched

Sunday September 17, 2023 12:35 pm PDT by
In June, Apple announced iOS 17 with a wide range of new features and changes for the iPhone. Following over three months of beta testing, the free software update will be released this Monday, September 18 for the iPhone XS and newer. Below, we have recapped 10 key features coming to the iPhone with iOS 17, with additional features coming later this year. The update should be released to...
iOS 17

Apple Releases iOS 17.0.1 and iPadOS 17.0.1 With Bug Fixes, Plus iOS 17.0.2 for iPhone 15 Models

Thursday September 21, 2023 10:28 am PDT by
Apple today released iOS 17.0.1 and iPadOS 17.0.1 updates for the iPhone and the iPad, adding bug fixes to the new software. The iOS 17.0.1 and iPadOS 17.0.1 updates come just a few days after Apple launched iOS 17 and iPadOS 17. The software, which is build 21A340, can be downloaded on eligible iPhones and iPads over-the-air by going to Settings > General > Software Update. There is a...
emojipedia 15 1 emoji

Emoji Coming to Future iOS 17 Update Include Shaking Head, Brown Mushroom, Lime, Phoenix and More

Tuesday September 19, 2023 12:43 pm PDT by
As Apple was announcing new iPhone models last week, the Unicode Consortium was officially approving new emoji characters that are set to be added to smartphones starting in 2024. Mockup of new emoji from Emojipedia Approved Unicode 15.1 emoji include phoenix, lime, an edible mushroom, shaking head vertically (as in a "yes" nod), shaking head horizontally (a "no" head shake), and broken...