There's a 50% chance that Mac users who recently downloaded HandBrake, a video conversion tool, accidentally installed a Trojan instead. The app's developers said in a security warning that a mirror download server was compromised between May 2 and May 6. Anyone who downloaded HandBrake in that time has been advised to make sure they have the legitimate software instead of the Trojan by verifying an SHA-1 / SHA-256 checksum.
You can also figure out if your Mac has been compromised by checking Activity Monitor (the macOS equivalent to Windows' Task Manager) to see if an "Activity_agent" process is running. If it is, the HandBrake developers said in their warning, you installed the Trojan instead of the real app. The devs said you should "change all the passwords that may reside in your OSX KeyChain or any browser password stores" if your system has been infected.
The good news is that downloads via HandBrake's built-in update tool were not affected during this period--as long as you're using HandBrake 1.0 or later. That version of the app introduced Digital Signature Algorithm (DSA) verification that rejects updates if they present an invalid signature. HandBrake versions 0.10.5 and earlier do not use these protections, however, so you should check your system if you're using those versions.
HandBrake's developers said they have shut down the affected download mirror--which resides at download.handbrake.fr--to investigate the problem. "The Download Mirror Server is going to be completely rebuilt from scratch, so downloads may be a bit slower than usual while the primary picks up the load," they said in their forum post. "During this time, old versions of HandBrake will not be available." It's not clear when the server will return.
Here's how the devs said you can remove the Trojan from your Mac:
Open up the "Terminal" application and run the following commands:
Then Remove any "HandBrake.app" installs you may have.
- launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
- rm -rf ~/Library/RenderFiles/activity_agent.app
- if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
HandBrake is popular because it's a free and open source video conversion tool available for macOS, Windows, and Linux. Sometimes videos simply aren't supported by specific devices, which means you have to convert them to a format those devices support. (Other times you just want to rip a DVD or Blu-ray that doesn't have any copyright protections.) The Windows and Linux versions of the app don't seem to have been affected by this issue.
You can learn how to validate HandBrake's checksums on the app's GitHub wiki. The app's developers also said they have been "informed that the process to update the definitions for OSX's XProtect feature"--macOS' built-in anti-malware tool--"started this morning, so this should start rolling out to machines automatically soon if not already."