On 6 May, the company warned its users about this security flaw in its servers. According to HandBrake team, an unknown hacker or group had been taken over one of the downloading mirror servers i.e (download.handbrake.fr) and the actors replaced the Mac version of HandBrake client (HandBrake-1.0.7.dmg) with the malicious version including the latest version of proton.
Proton - Mac-based Trojan - was initially discovered by Russian underground hacking forum in February. This Trojan is designed to give root access of the infected system to the attacker.
Though the affected server has been deactivated for further investigation, still, the company has warned its users that, 'Users who had downloaded HandBrake for Mac from the infected server between 2 May and 6 May 2017, have a '50/50 chance' of getting their Mac infected by Proton.'
The team also provided some instructions to check whether its users had been infected or not. In the OSX activity monitor application, if there is any process called 'Activity agent', then the PC is infected with Proton. Also, by looking on to the hashes in the downloaded software, the sign of infection can be found. The checksums are:
If you have downloaded and installed the software with the above mentioned checksum with the hashes, you're system is infected with the Trojan. The company has also mentioned the instructions to remove the Proton from the infected system.
Step 1: Open up the 'Terminal' application and run the following command: launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist rm -rf ~ / Library/RenderFiles/activity_agent.app
Step 2: If ~/Library/VideoFrameworks/ includes proton.zip, remove the folder
Step 3: After this, remove all the installations of HandBrake from the PC.
As a security measure, go to settings and change the passwords, which were stored on OS X keychain and also on browser password stores.
User who updated to HandBrake version 1.0 or above were not affected by this issue. Because, it uses DSA signatures to verify the downloaded files. This is an alert to Mac users, who have installed HandBrake transcoder app knowingly or unknowingly, which has been infected with dangerous remote access Trojan.