large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Mac HandBrake Virus: How to check if your Apple Mac is infected by the malware

If you’ve downloaded the HandBrake video transcoder for Mac recently, your machine may be infected by a Trojan. Here’s what you need to know about the new malware threat.

HandBrake for Mac malware explained

HandBrake is an open-source video transcoder that’s available on Mac. It’s freely available and very popular, as it allows users to convert video to different formats.

But that popularity could be about to take a downswing, as the team behind the program are now warning users that they may have accidentally downloaded spyware to their machine.

If you downloaded the HandBrake for Mac software between May 2 and May 6, you may have downloaded a version of the OSX.PROTON Trojan malware onto your system. We’re aware some of you might not technically class it as a ‘virus’, but running the numbers, enough of you are after a solution for it as a ‘virus’ that it’s worth blurring the lines in this instance – we want to help as many people as possible, after all.

In a statement, HandBrake’s creators said: “Anyone who installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have a 50/50 chance if you’ve downloaded HandBrake during this period.”

The Proton Trojan lets hackers spy on your activities, including every keystroke you type. It can also upload files to your machine, download files from the internet, and send screenshots to the hacker. It can even connect to remote administration tools, which could result in your entire machine being taken over.

Related: Best free antivirus

MacBook Pro 13 2016

Are you infected?

To check if you’re infected, open the OS X Activity Monitor. If you see a process called “activity_agent” then you’re infected.

Similarly, take a look at the HandBrake.dmg file you installed. If you see the following checksums, you’re also infected:

  • SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
  • SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

The good news is that Apple has now pushed out a new signature that should prevent new infections.

How to remove the spyware

Fortunately, if your machine has been infected, it’s very easy to remove the Proton trojan.

First, open up the ‘Terminal’ application on your Mac. Then, enter the following commands:

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/
  • if ~/Library/VideoFrameworks/ contains, remove the folder

You’ll then need to remove any ‘’ installs you have. Once that’s done, we’d recommend changing all of the passwords that are in your OS X KeyChain or any browser password stores. However, only do this after you’ve completed the spyware removal, otherwise it’s a bit pointless.

Related: Best laptops

Were you affected by this issue? Let us know in the comments.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.