HandbrakeThe developers of open source video transcoder app Handbrake have issued a security warning to Mac users after a mirror download server hosting the software was hacked.

The alert was issued on Saturday after it was discovered that the original HandBrake-1.0.7.dmg installer file on mirror server download.handbrake.fr had been replaced by a malicious file.

The affected server has been shut down for investigation, but developers are warning that users who downloaded the software from the server between 14:30 UTC May 2 and 11:00 UTC May 6 have a 50/50 chance of their system being infected by a trojan. "If you see a process called 'Activity_agent' in the OS X Activity Monitor application, you are infected," read the alert.

To remove the malware from an infected computer, users need to open up the Terminal application and run the following commands:

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

Users should then remove any installs of the Handbrake.app they have on their system. As an extra security recommendation, users should also change all the passwords that may reside in their OSX KeyChain or in any browser password stores.

The malware in question is a new variant of OSX.PROTON, a Mac-based remote access trojan that gives the attacker root-access privileges. Apple updated its macOS security software XProtect in February to defend against the original Proton malware. Apple initiated the process to update its XProtect definitions on Saturday and the update should already be rolling out to machines silently and automatically.

Handbrake users should note that the primary download mirror and the Handbrake website were unaffected by the hack. Downloads via the application's built-in updater with 1.0 and later are also unaffected, since these are verified by a DSA Signature and won't install if they don't pass. However, users with Handbrake 0.10.5 and earlier who used the application's built-in updater should check their system, as these versions don't have the verification feature.

For reference, HandBrake.dmg files with the following checksums are infected:
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274 / SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

(Thanks, Alfonso!)

Top Rated Comments

Quu Avatar
75 months ago
These developers really need to setup a deamon of sorts which tests the SHA1 hash of these binaries every few hours or release their wares on the App Store.
Score: 7 Votes (Like | Disagree)
loby Avatar
75 months ago
The app is one of the best out there. I use it almost daily.
This is a great app and I too use it quite often.

It amazes me how people quickly complain and comment negatively on an open source "free" software that they don't have to pay anything for. Give them a break. This is not apple with unlimited resources and employees with high paying salaries who are expected to have everything protected and secure and perfect. They don't get paid. They were quick to reveal the issue and not hide anything.

Complainers either don't write code, or if you do, you are doing it for money. They are not. Those who use their software appreciate their hard work and appreciate their honesty to reveal the issue quickly and not hide anything so we can fix the issue on our side. This stuff happens occasionally. If you paid for the software, then "yeah"..complain. They have limited resources, so give them a break as they work hard to resolve the issue. I am sure someone had no sleep trying to quickly fix the problem and then have to go to their day job after, just to fix a free program that they offer to the world to use.

Appreciate the open source community that gives us a great program. Thanks for informing us right away so we can protect our systems and continue to use handbrake.
Score: 5 Votes (Like | Disagree)
Quu Avatar
75 months ago
Isn't Apple's code signing supposed to protect against this? Or are they not signing their builds? Or did their key get stolen?
[doublepost=1494153907][/doublepost]
No need for that exactly. Registered Mac developers can sign their code and distribute it anywhere. Most seem to do that.
That isn't secure enough because any developer can register for $99 (and the malware authors do too) then they just re-sign their new binary with the bought certificate and as-long as no one notices it will fly under the radar.

The developers themselves need to maintain hashes are correct.
Score: 5 Votes (Like | Disagree)
bladerunner2000 Avatar
75 months ago
Guess it's an indication that using the tool won't make any sense either... fair game.
The app is one of the best out there. I use it almost daily.
Score: 4 Votes (Like | Disagree)
Gannet Avatar
75 months ago
Handbrake is an excellent program that has served me well over the years and I have great respect for the developers. Security slip-ups can happen to anyone and I'm sure they will take the necessary measures to improve this for future.

That said, I'm posting because I nearly got caught by this. I download Handbrake last week and was surprised to see a dialog on launch asking me to enter my password to "install additional codecs". As a longtime Handbrake user I was certain that this was *not* normal, so I declined. Shortly afterword I was shown another dialog, independent from Handbrake, purporting to be from the system "Network Configuration" which needed my password to "update DHCP settings". As this was also something I was unfamiliar with, I again declined but the dialog immediately reappeared upon clicking cancel and I had to restart the computer to make it go away. So yeah, if you see any suspicious password dialogs, do NOT enter your password.

Attachment Image
Score: 4 Votes (Like | Disagree)
cashinstinct Avatar
75 months ago
Many developpers would have simply not said anything.

I applaud them for telling it like it is, and finding solutions.

Pretty sure many apps are affected by such issues, but either they don't find out / don't say to their users.
Score: 4 Votes (Like | Disagree)

Popular Stories

iOS 16

iOS 16.3 Now Available for Your iPhone With These 4 New Features

Friday February 3, 2023 1:13 pm PST by
Apple released iOS 16.3 in late January following nearly six weeks of beta testing. The software update is available for the iPhone 8 and newer, and while it is a relatively minor update, it still includes a handful of new features, changes, and bug fixes. Below, we've recapped new features in iOS 16.3, including support for physical security keys as a two-factor authentication option for...
iPhone 14 Pro Purple Side Perspective Feature Purple

Gurman: Apple Considering New High-End iPhone Alongside Pro and Pro Max

Sunday February 5, 2023 6:07 am PST by
Apple has discussed selling a new top-of-the-line iPhone alongside the Pro and Pro Max models in 2024 at the earliest, according to Bloomberg's Mark Gurman. Based on this timeframe, the device would be part of the iPhone 16 lineup or later. In a September 2022 edition of his weekly "Power On" newsletter, Gurman said there was "potential" for an iPhone 15 Ultra to replace the iPhone 15 Pro...
ipad air purple

Deals: M1 iPad Air Hits Record-Low Prices at TigerDirect, Starting at $313.99 (48% Off) [Updated]

Saturday February 4, 2023 10:05 am PST by
Online retailer TigerDirect has slashed pricing on the M1 iPad Air in several colors, offering the base 64GB configuration for just $313.99 in Purple and Pink. Note: MacRumors is an affiliate partner with TigerDirect. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. That's a savings of 48% compared to Apple's normal $599.00...
mac studio pink

Apple May Not Launch Updated Mac Studio With M2 Ultra Chip Due to Similarity With Upcoming Mac Pro

Sunday February 5, 2023 6:06 am PST by
A new version of the Mac Studio with the "M2 Ultra" chip is unlikely to arrive in the near future, according to Bloomberg's Mark Gurman. In the latest edition of his "Power On" newsletter, Gurman explained that since the upcoming Apple silicon Mac Pro is "very similar in functionality to the Mac Studio," Apple may wait until the release of M3- or M4-series chips to update the machine, or...
HomePod 2 White and Midnight Feature Purple Orange

Apple Releases tvOS 16.3.1 and HomePod 16.3.1 Software Updates

Monday February 6, 2023 10:13 am PST by
Apple today released new tvOS 16.3.1 and HomePod 16.3.1 software updates, with the software coming two weeks after the tvOS 16.3 and HomePod 16.3 updates were released. According to Apple's release notes for HomePod software 16.3.1, the update includes general performance and stability improvements. Notes for tvOS 16.3.1 are unavailable as of yet, but are probably similar to the HomePod...
iPhone 15 Pro Blue Feature

iPhone 15 Pro 'Buttonless Design' Rumors: Everything We Know

Monday February 6, 2023 7:44 am PST by
The iPhone 15 Pro models will feature a "buttonless design" thanks to additional Taptic Engines, according to multiple corroborated reports, so what do we know about the change so far? Apple analyst Ming-Chi Kuo was first to report that the volume and power buttons on this year's two high-end iPhone models will adopt a solid-state design, similar to the iPhone 7's home button, replacing a...
iphone ultra concept daehnert

'iPhone Ultra' Concept Envisions Apple's Rumored Future Top-Tier Smartphone

Tuesday February 7, 2023 5:38 am PST by
Apple has reportedly considered releasing a new top-of-the-line iPhone alongside future Pro and Pro Max models, tentatively referred to as "iPhone Ultra," and one designer has taken it upon himself to envision what such a device could potentially look like. German industrial designer Jonas Daehnert came up with this impressive-looking concept (pictured) by marrying design elements of the...
webkit vs chromium feature

Google Working on Browser for iOS That Would Break Apple's App Store Rules

Saturday February 4, 2023 1:30 am PST by
Google's Chromium developers are working on an experimental web browser for iOS that would break Apple's browser engine restrictions, The Register reports. The experimental browser, which is being actively pursued by developers, uses Google's Blink engine. Yet if Google attempted to release it on the App Store, it would not pass Apple's App Review process. Apple's App Store rules dictate...