HandBrake Malware Targets Mac Users Via Download Server Hack

The developers of HandBrake, a popular open source software program for copying video from a DVD to computer storage, have warned some MacOS versions of the software were replaced by malware in an apparent hack last week.

An infected version of the software’s installer was placed on one of the project’s download mirror servers, download.handbrake.fr, and was made available to users from Sunday 2 May to Thursday 6 May, developers said.

’50 percent chance of infection’

While the primary download mirror and website weren’t affected, the project urged users who downloaded and installed the software last week to check for an infection.

“You have 50/50 chance if you’ve downloaded HandBrake during this period,” the project’s developers wrote in an advisory.

HandBrake is also available for Windows and Linux, but those versions weren’t affected, developers said.

Hackers replaced the installer file HandBrake-1.0.7.dmg with an infected version that installs a variant of the OSX Proton trojan horse.

OSX Proton provides attackers with remote access to infected systems, allowing them to potentially steal files, monitor what the user is typing, take screenshots or to carry out other malicious activities, according to security researchers.

Users can detect an infection by searching for a process called “Activity_agent” in MacOS’ Activity Monitor or verifying the checksums of the version of HandBrake they installed.

Password compromise

If the trojan is found to be present, the procedure for removing it is straightforward, but developers also advised users to change all the passwords that may have been present in MacOS’ Keychain or in browser password stores, as they may have been compromised.

The malicious installer’s checksum hashes don’t match those of the official version, meaning that if users have version 1.0 or later installed the infected update would not have been automatically installed.

However, versions 0.10.5 and earlier don’t verify updates, meaning they may have automatically installed the infected file.

HandBrake’s developers said the affected download mirror has been shut down and is to be rebuilt from scratch.

Some users writing on the discussion forums of the MacRumors website said they had been infected after downloading the malicious update from the HandBrake website, with one user saying the malware had caused a number of suspicious pop-up windows to appear, asking for a system password.

“If you see any suspicious password dialogs, do not enter your password,” the user wrote.

Security experts noted that while Mac users are targeted less frequently than Windows systems, they may be more vulnerable since they’re less likely to be running security software.

“Yes, there’s a lot less malware for Mac OS X than there is for Microsoft Windows, but that’s going to be little consolation if you’re unfortunate enough to find yourself a victim,” wrote computer security expert Graham Cluley in a blog post. “Personally I think any Mac users connecting to the internet without an anti-virus solution in place is being downright foolhardy.”

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Google Fiber Plans US Network Expansion – Report

Google Fiber resurfaces. Network to be expanded to offer speedy internet connectivity to cities in…

8 hours ago

Samsung Unveils Two New Folding Smartphones

Foldable updates from Samsung. include new versions of its pocket sized square (Galaxy Z Flip…

8 hours ago

Elon Musk Sells Tesla Shares Worth $6.9 Billion

Tesla CEO Elon Musk admits he could need the funds if he loses legal showdown…

10 hours ago

Facebook At Centre Of US Teenager Home Abortion Case

Court documents show Facebook provided police in the US state of Nebraska with a teenager's…

12 hours ago

President Biden Signs $53 Billion US Chips Act

President Joe Biden signs landmark bill to encourage chip makers to build more semiconductor manufacturing…

13 hours ago

WhatsApp Update To Allow Users To Leave Groups Silently

Privacy changes to WhatsApp. No more blanket notifications to a group if a user decides…

14 hours ago