May 17, 2017 Last Updated 2:10 pm

macOS and iOS developer says they ‘got pwned’ by video app infected with malware

The macOS and iOS development company Panic today said that they were the victim of malware, though they said they see indication any customer information was obtained by the attacker, ro that their server and date was accessed.

The news comes, ironically, on the day a second wave of ransomware attacks appear to be targeting computers running Windows that have not been updated or have a patch installed to fight the attack.

The problem originates with the HandBrake app, a popular a video converter program for the Mac. The app was infected with a new variant of the Proton malware so that those who downloaded new versions of HandBrake between May 2 and May 6 might have gotten an infected version (in other words, if you have a copy of HandBrake installed on your Mac, but did not just recently download it, your version is fine).

The Malwarebytes Lab website says there is way to check your copy of the software:

If you download a new copy of HandBrake, you can check it against the checksums listed on the HandBrake site to verify that it is valid. However, there’s a big problem with this: If the website has been hacked to replace the legit copy of the software with a bad one, it’s reasonable to assume that the checksums there could be replaced with bad ones as well.

Unfortunately, HandBrake is not code signed, so there’s no real way to verify with 100% certainty that the copy you have has not been tampered with.

As for Panic, as luck would have it, they downloaded HandBrake during the time period when the infected app was available.

“In a case of extraordinarily bad luck, even for a guy that has a lot of bad computer luck, I happened to download HandBrake in that three day window, and my work Mac got pwned,” wrote Steven Frank on the Panic blog.

“Long story short, somebody, somewhere, now has quite a bit of source code to several of our apps.”

According to Frank, once he discovered the infection on his Mac he took the device “took the Mac out of commission, and we began the incredibly lengthy process of changing all of my passwords, rotating the relevant secret keys throughout our infrastructure, and so on, to re-lock our doors and hopefully prevent anything else from being stolen.”

What a mess, but Panic has been transparent about what has occurred, which is good to see. Unfortunately, Panic knows its source code is in someone else’s possession.

The malware will ask the Mac user for their admin password when the user first opens the infected version of HandBrake, something that won’t seem very unusual for many users installing a new piece of software (its unusual for HandBrake, though). If the user presses cancel, they will be OK as the software won’t install. But if installed, the malware will created a backdoor and will gain access to your Keychain, which means the first thing the user should do is change all their passwords.

“Seems like this is increasingly becoming something Mac users have to worry about,” MalwareBytes concludes… which really sucks because it is so much fun pointing the finger at Microsoft whenever these Windows attacks occur.


To remove the infected HandBrake app the developer says to do the following:

Open up the “Terminal” application and then run the following commands:

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

Then find any “HandBrake.app” files and delete them.

Comments are closed.