Macbook Air with code
Open source Mac video converter app HandBrake was compromised by malware Proton Trojan. takanashi66/Pixabay

Popular open source MacOS video converter HandBrake was compromised by malware for nearly five days earlier this month, a message from the company behind the application revealed Monday.

A download mirror server used to host HandBrake was hacked, and a modified version of HandBrake that contained a variant of the OSX.Proton Trojan was uploaded in its place, meaning anyone who downloaded the app from the compromised server may have been infected.

Read: Mac Malware: OSX/Dok Bypasses Apple Security, Steals Internet Activity

The makers of HandBrake said anyone who downloaded the app for Mac from 10:30 a.m. EDT last Tuesday until 7 p.m. EDT Saturday may have been hit by the exploit. The company said anyone who downloaded the app during that period has a “50/50 chance” of being infected.

The OSX.Proton Trojan downloaded from the compromised server is a remote access trojan (RAT) that has been spread through Russian forums.

An analysis published by security researchers at cyberintelligence firm Sixgill found the malware is able to spy on user activities. It is capable of monitoring a user’s keystrokes, uploading files remotely to the victim’s machine, downloading files from the internet, taking screenshots of user activity and gaining root access to the device.

The malware is often able to bypass Apple’s GateKeeper tool designed to keep unauthorized applications from installing on a device because the trojan ships with an Apple-approved signature that was likely stolen or faked.

Read: Mac Malware: Snake Attack Used For Targeted Espionage Discovered for MacOS

When a user tries to launch the compromised version of HandBrake, the Proton trojan will launch a fake authentication message that asks for the username and password of the user. If the user provides that information, the malware will install itself and elevate its privileges to further infect the machine.

How to Find and Remove Proton Trojan

Because GateKeeper and other third-party virus scanners have yet to catch the threat of the Proton trojan, users have to take their protection into their own hands.

The first step is detecting if the Proton trojan is on your system. This can be done by opening the OSX Activity Monitor application, found in the Utilities folder. Look for a process in the Activity Monitor called “activity_agent.” If it is present on your system, you are infected.

You can remove the trojan by opening the MacOS Terminal application, also found in the Utilities folder. With Terminal open, run each of the following commands by copying and pasting the command into Terminal and hitting enter:

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist

  • rm -rf ~/Library/RenderFiles/activity_agent.app

  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

It’s also advised those who have been infected remove any "HandBrake.app" installations they may have.

The creators of HandBrake warn that even if the trojan is removed entirely from a device, there is still a risk it may compromise a user’s passwords stored in MacOS KeyChain or in the browser. It is recommended that users change their passwords after removing the malware.