macOS is well secured operating system with relative low market share. In past, malware “developers” mostly weren’t interested in Mac, but time is changing and with growing number of Mac users, especially after success of iPhone, Mac is becoming more popular among these “developers”. Recently, three new malwares were discovered. If you recently downloaded Flash Player or popular convertor HandBrake, your Mac may be infected.
First malware is spreading as fake Adobe Flash Player installer, known under codename “Snake”, “Turtla” and “Urobos”. It was originally targeting Windows, but this malware was successfully ported to Mac operating system.
File name of infected Adobe Flash Player is “Install Adobe Flash Player.app.zip”. It got certificate registered to “Addy Symonds”, instead of Adobe, but it still passed through Gatekeeper. Currently, Apple has already revoked this certificate.
“Snake”, as original installer from Adobe, requires administrator password to get work. In both cases, you will get fully working Adobe Flash Player and causal user won’t see any differences.
This malware can expose passwords and unencrypted files, Malwarebytes said.
Another new malware, called “Dok”, is spread by fake e-mails. It claims that it is macOS update, but that’s not true. It’s fake software with built-in malware and, like “Snake”, it got certificate. So be careful and only install system updates from official Mac App Store.
But most annoying malware was found included in popular free video convertor HandBrake. One of the mirror sites was hacked, so it’s a chance that your Mac is infected. On official forums, HandBrake developers said that infected version of HandBrake was online for 5 days between 02. May 2017 14:30 UTC and 06 May 2017 11:00 UTC.
How to check if I’m affected by this malware?
It’s simple. Just launch Activity Monitor and find process called “Activity_agent”.
Another way is to check checksum of file HandBrake.dmg:
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274 SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793
If your downloaded version of HandBrake.dmg has this checksum, you are infected.
How to remove this malware?
It’s very easy. Just launch Terminal and write these commands:
- launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
- rm -rf ~/Library/RenderFiles/activity_agent.app
- if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
After this, remove HandBrake.app from your Mac. I recommend to use software like AppCleaner to be sure that HandBrake is definitely away.
It’s highly possible, that this malware compromises your passwords in system Keychain, so for security reason, you should change all passwords stored in Keychain.