HandBrake Malware Targets Mac Users Via Download Server Hack

The developers of HandBrake, a popular open source software program for copying video from a DVD to computer storage, have warned some MacOS versions of the software were replaced by malware in an apparent hack last week.

An infected version of the software’s installer was placed on one of the project’s download mirror servers, download.handbrake.fr, and was made available to users from Sunday 2 May to Thursday 6 May, developers said.

’50 percent chance of infection’

While the primary download mirror and website weren’t affected, the project urged users who downloaded and installed the software last week to check for an infection.

“You have 50/50 chance if you’ve downloaded HandBrake during this period,” the project’s developers wrote in an advisory.

HandBrake is also available for Windows and Linux, but those versions weren’t affected, developers said.


Hackers replaced the installer file HandBrake-1.0.7.dmg with an infected version that installs a variant of the OSX Proton trojan horse.

OSX Proton provides attackers with remote access to infected systems, allowing them to potentially steal files, monitor what the user is typing, take screenshots or to carry out other malicious activities, according to security researchers.

Users can detect an infection by searching for a process called “Activity_agent” in MacOS’ Activity Monitor or verifying the checksums of the version of HandBrake they installed.

Password compromise

If the trojan is found to be present, the procedure for removing it is straightforward, but developers also advised users to change all the passwords that may have been present in MacOS’ Keychain or in browser password stores, as they may have been compromised.

The malicious installer’s checksum hashes don’t match those of the official version, meaning that if users have version 1.0 or later installed the infected update would not have been automatically installed.

However, versions 0.10.5 and earlier don’t verify updates, meaning they may have automatically installed the infected file.

HandBrake’s developers said the affected download mirror has been shut down and is to be rebuilt from scratch.

Some users writing on the discussion forums of the MacRumors website said they had been infected after downloading the malicious update from the HandBrake website, with one user saying the malware had caused a number of suspicious pop-up windows to appear, asking for a system password.

“If you see any suspicious password dialogs, do not enter your password,” the user wrote.

Security experts noted that while Mac users are targeted less frequently than Windows systems, they may be more vulnerable since they’re less likely to be running security software.

“Yes, there’s a lot less malware for Mac OS X than there is for Microsoft Windows, but that’s going to be little consolation if you’re unfortunate enough to find yourself a victim,” wrote computer security expert Graham Cluley in a blog post. “Personally I think any Mac users connecting to the internet without an anti-virus solution in place is being downright foolhardy.”

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

9 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

11 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

13 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

13 hours ago