Tainted ​Mac app HandBrake carries password-stealing Trojan

Mac users who recently downloaded Handbrake, a popular video converter, may have been infected with a password-stealing Trojan.

The developers of HandBrake posted a warning on Saturday that its Mac download mirror at download.handbrake.fr had been compromised to serve up a Trojanized version of the real software. The malware, called OSX.Proton, attempts to trick victims into giving up credentials through malicious login dialog boxes.

The tainted file was available for download between May 2 at 14:30 UTC and May 6 at 11:00 UTC. HandBrake’s developers said there was a high chance that anyone who downloaded the HandBrake-1.0.7.dmg during this period was infected.

The developers urge users to verify the SHA1/SHA 256 checksum or fingerprint of the HandBrake.dmg file before running it and advise users who downloaded the malicious version to change all passwords stored in the Mac’s KeyChain. The Mac is infected if a process called “Activity_agent” is present in the OS X Activity Monitor.

Apple on Saturday began rolling out definitions to block the Proton malware through its in-built anti-malware feature XProtect, according to HandBrake’s developers.

Proton was discovered in February by security firm Sixgill, which claimed to have found the Proton remote access trojan for sale on Russian-language dark web sites.

The new incident is reminiscent of malware attacks on Mac users last year via a twice compromised copies of the Transmission torrent client. The torrent was used to distribute a rare instance of OS X ransomware called KeRanger, which had been ported to Mac from a Linux variant, and later malware called OS X.Keydnap.

That both Transmission and HandBrake were co-created by developer Eric Petit has led some to speculate his security practices were being exploited by attackers or that the projects shared servers.

HandBrake's developers however said Petit was not part of the HandBrake project and that they don't share infrastructure.

"The HandBrake Team is independent of the Tranmission Developers. The projects share history in the sense that the same author created these apps but he is not part of the current HandBrake team of developers," HandBrake noted in an update.

"We do not share our virtual machines with the Transmission project," they added.

While Mac malware remains relatively scarce compared to their Windows counterpart, Apple has updated XProtect a number of times to counter new Mac malware. Security firm Fox-IT also last week spotted a Mac version of an espionage tool dubbed Snake that was previously targeted Windows while Check Point recently reported the first example of a malware campaign targeting Mac users by phishing spam.

Tags malwareAppleMacXProtectHandBrake

Show Comments