Popular video-encoding Mac app HandBrake compromised with malware

The creators of media transcoding program HandBrake have warning that certain downloads of the installer for the Mac version of the app may contain a Trojan virus.

Downloading the app between May 2 (14:30 UTC) and May 6 (11:00 UTC) from the “download.handbrake.fr” mirror means you have a 50-percent chance of being infected with the Trojan. Automatically updated apps (using updater version 1.0 and above), and files downloaded from the primary mirror are unaffected.


The attackers replaced the usual HandBrake installer file, titled ‘HandBrake-1.0.7.dmg’, with a version that also contained the Trojan virus, so checking if you have this file on your system and seeing when it was downloaded is the first step to identifying the threat.

If you have downloaded the installer during the specified time window, you can check if you’ve inadvertently installed the malware by opening your Mac’s Activity Monitor application and seeing if you have a process called “Activity_agent”. If so, you are infected.

READ MORE  Blue screen of death? It could be malware

If you still have the installer file, you can also check if it has either of the following checksums, which likewise indicate that it contains the Trojan.

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274

SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

For a step-by-step on determining a file’s checksums, check out this how-to.


Removing the malware is thankfully quite simple. Open the Terminal by searching for it in the Launchpad and type the following commands (without the bullet point), hitting enter after each line.

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

Once you’ve done this, open your Applications folder and remove any instances of Handbrake.app there (or any other locations you may have installed it to).

Because this Trojan targets login credentials and sensitive information, if you’ve been infected it’s recommended you change all login credentials that are stored in Apple’s macOS KeyChain or any similar password-storing services, such as browser-based password stores. Note that deleting login credentials from these services isn’t sufficient — you’ll need to actually change each password that has been stored in one of these locations, as they could have already been sent to the Trojan’s creators.

READ MORE  McAfee and Google Assistant will let you secure your smart home with your voice

      Select your currency
      Register New Account