If you’ve downloaded the HandBrake video transcoder for Mac recently, your machine may be infected by a Trojan. Here’s what you need to know about the new malware threat.
HandBrake for Mac malware explained
HandBrake is an open-source video transcoder that’s available on Mac. It’s freely available and very popular, as it allows users to convert video to different formats.
But that popularity could be about to take a downswing, as the team behind the program are now warning users that they may have accidentally downloaded spyware to their machine.
If you downloaded the HandBrake for Mac software between May 2 and May 6, you may have downloaded a version of the OSX.PROTON Trojan malware onto your system. We’re aware some of you might not technically class it as a ‘virus’, but running the numbers, enough of you are after a solution for it as a ‘virus’ that it’s worth blurring the lines in this instance – we want to help as many people as possible, after all.
In a statement, HandBrake’s creators said: “Anyone who installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have a 50/50 chance if you’ve downloaded HandBrake during this period.”
The Proton Trojan lets hackers spy on your activities, including every keystroke you type. It can also upload files to your machine, download files from the internet, and send screenshots to the hacker. It can even connect to remote administration tools, which could result in your entire machine being taken over.
Related: Best free antivirus

Are you infected?
To check if you’re infected, open the OS X Activity Monitor. If you see a process called “activity_agent” then you’re infected.
Similarly, take a look at the HandBrake.dmg file you installed. If you see the following checksums, you’re also infected:
- SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
- SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793
The good news is that Apple has now pushed out a new signature that should prevent new infections.
How to remove the spyware
Fortunately, if your machine has been infected, it’s very easy to remove the Proton trojan.
First, open up the ‘Terminal’ application on your Mac. Then, enter the following commands:
- launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
- rm -rf ~/Library/RenderFiles/activity_agent.app
- if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
You’ll then need to remove any ‘HandBrake.app’ installs you have. Once that’s done, we’d recommend changing all of the passwords that are in your OS X KeyChain or any browser password stores. However, only do this after you’ve completed the spyware removal, otherwise it’s a bit pointless.
Related: Best laptops
Were you affected by this issue? Let us know in the comments.