HandbrakeThe developers of open source video transcoder app Handbrake have issued a security warning to Mac users after a mirror download server hosting the software was hacked.

The alert was issued on Saturday after it was discovered that the original HandBrake-1.0.7.dmg installer file on mirror server download.handbrake.fr had been replaced by a malicious file.

The affected server has been shut down for investigation, but developers are warning that users who downloaded the software from the server between 14:30 UTC May 2 and 11:00 UTC May 6 have a 50/50 chance of their system being infected by a trojan. "If you see a process called 'Activity_agent' in the OS X Activity Monitor application, you are infected," read the alert.

To remove the malware from an infected computer, users need to open up the Terminal application and run the following commands:

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

Users should then remove any installs of the Handbrake.app they have on their system. As an extra security recommendation, users should also change all the passwords that may reside in their OSX KeyChain or in any browser password stores.

The malware in question is a new variant of OSX.PROTON, a Mac-based remote access trojan that gives the attacker root-access privileges. Apple updated its macOS security software XProtect in February to defend against the original Proton malware. Apple initiated the process to update its XProtect definitions on Saturday and the update should already be rolling out to machines silently and automatically.

Handbrake users should note that the primary download mirror and the Handbrake website were unaffected by the hack. Downloads via the application's built-in updater with 1.0 and later are also unaffected, since these are verified by a DSA Signature and won't install if they don't pass. However, users with Handbrake 0.10.5 and earlier who used the application's built-in updater should check their system, as these versions don't have the verification feature.

For reference, HandBrake.dmg files with the following checksums are infected:
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274 / SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

(Thanks, Alfonso!)

Top Rated Comments

Quu Avatar
69 months ago
These developers really need to setup a deamon of sorts which tests the SHA1 hash of these binaries every few hours or release their wares on the App Store.
Score: 7 Votes (Like | Disagree)
loby Avatar
69 months ago
The app is one of the best out there. I use it almost daily.
This is a great app and I too use it quite often.

It amazes me how people quickly complain and comment negatively on an open source "free" software that they don't have to pay anything for. Give them a break. This is not apple with unlimited resources and employees with high paying salaries who are expected to have everything protected and secure and perfect. They don't get paid. They were quick to reveal the issue and not hide anything.

Complainers either don't write code, or if you do, you are doing it for money. They are not. Those who use their software appreciate their hard work and appreciate their honesty to reveal the issue quickly and not hide anything so we can fix the issue on our side. This stuff happens occasionally. If you paid for the software, then "yeah"..complain. They have limited resources, so give them a break as they work hard to resolve the issue. I am sure someone had no sleep trying to quickly fix the problem and then have to go to their day job after, just to fix a free program that they offer to the world to use.

Appreciate the open source community that gives us a great program. Thanks for informing us right away so we can protect our systems and continue to use handbrake.
Score: 5 Votes (Like | Disagree)
Quu Avatar
69 months ago
Isn't Apple's code signing supposed to protect against this? Or are they not signing their builds? Or did their key get stolen?
[doublepost=1494153907][/doublepost]
No need for that exactly. Registered Mac developers can sign their code and distribute it anywhere. Most seem to do that.
That isn't secure enough because any developer can register for $99 (and the malware authors do too) then they just re-sign their new binary with the bought certificate and as-long as no one notices it will fly under the radar.

The developers themselves need to maintain hashes are correct.
Score: 5 Votes (Like | Disagree)
bladerunner2000 Avatar
69 months ago
Guess it's an indication that using the tool won't make any sense either... fair game.
The app is one of the best out there. I use it almost daily.
Score: 4 Votes (Like | Disagree)
Gannet Avatar
69 months ago
Handbrake is an excellent program that has served me well over the years and I have great respect for the developers. Security slip-ups can happen to anyone and I'm sure they will take the necessary measures to improve this for future.

That said, I'm posting because I nearly got caught by this. I download Handbrake last week and was surprised to see a dialog on launch asking me to enter my password to "install additional codecs". As a longtime Handbrake user I was certain that this was *not* normal, so I declined. Shortly afterword I was shown another dialog, independent from Handbrake, purporting to be from the system "Network Configuration" which needed my password to "update DHCP settings". As this was also something I was unfamiliar with, I again declined but the dialog immediately reappeared upon clicking cancel and I had to restart the computer to make it go away. So yeah, if you see any suspicious password dialogs, do NOT enter your password.

Attachment Image
Score: 4 Votes (Like | Disagree)
cashinstinct Avatar
69 months ago
Many developpers would have simply not said anything.

I applaud them for telling it like it is, and finding solutions.

Pretty sure many apps are affected by such issues, but either they don't find out / don't say to their users.
Score: 4 Votes (Like | Disagree)

Popular Stories

cook sept 2020 event

Gurman: Apple Preparing Pre-Recorded iPhone 14 and Apple Watch Series 8 Event

Sunday August 7, 2022 6:13 am PDT by
Apple has "started to record" its virtual September event, where it's expected to announce the upcoming iPhone 14 lineup, the Apple Watch Series 8, and a new "rugged" Apple Watch model, according to Bloomberg's Mark Gurman. Writing in his latest Power On newsletter, Gurman says the event, which is expected to take place in the early part of September, is already under production, implying...
Apple Watch Series 7 Starlight Midnight

Standard Apple Watch Series 8 Rumored to Feature Same Design as Series 7

Friday August 5, 2022 7:46 am PDT by
The standard 41mm and 45mm models of the Apple Watch Series 8 will feature the same design as the Apple Watch Series 7, according to Twitter user @ShrimpApplePro, who was first to reveal that iPhone 14 Pro models would feature a new pill-and-hole display. Titanium will not be an option for the standard Apple Watch Series 8 models either, according to @ShrimpApplePro, but Bloomberg's Mark...
iPhone 14 Lineup Feature Purple

Color Options for All iPhone 14 Models: Everything We Know

Monday August 8, 2022 3:59 am PDT by
The iPhone 14 and iPhone 14 Pro models are rumored to be available in a refreshed range of color options, including an all-new purple color. Most expectations about the iPhone 14 lineup's color options come from an unverified post on Chinese social media site Weibo earlier this year. Overall, the iPhone 14 and iPhone 14 Pro's selection of color options could look fairly similar to those of the ...
ios 16 beta 5 battery percent

iOS 16 Beta 5: Battery Percentage Now Displayed in iPhone Status Bar

Monday August 8, 2022 10:43 am PDT by
With the fifth beta of iOS 16, Apple has updated the battery icon on iPhones with Face ID to display the specific battery percentage rather than just a visual representation of battery level. The new battery indicator is available on iPhone 12 and iPhone 13 models, with the exception of the 5.4-inch iPhone 12/13 mini. It is also available on the iPhone X and the iPhone XS. Battery percent...
iphone 14 pro max camera bump compared lipilipsi 16 9

Bigger iPhone 14 Pro Max Camera Bump Shown Alongside iPhone 13 Pro Max

Monday August 8, 2022 4:33 am PDT by
The camera bump on the upcoming iPhone 14 Pro Max is expected to be the largest rear lens housing Apple has ever installed on its flagship smartphones, and a new photo offers a rare glimpse at just how prominent it is compared to Apple's predecessor device. iPhone 14 Pro Max dummy (left) vs iPhone 13 Pro Max All iPhone 14 models are expected to see upgrades to the Ultra Wide camera on the...
ipad pro magic keyboard white

Rumor Claims Next iPad Pro to Feature New Four-Pin Smart Connector

Sunday August 7, 2022 11:57 am PDT by
A new rumor claims that the next-generation 12.9-inch and 11-inch iPad Pro will feature a new four-pin Smart Connector, an update from the current three-pin connector in the iPad Pro. The rumor from Mac Otakara, citing "reliable sources," says that the next iPad Pro, expected to debut possibly as soon as this fall, will feature a new Smart Connector that has four-pins rather than three. The...