HandBrake Urges Mac Users To Verify Recent Download, Says Mirror Server Was Compromised

HandBrake team, writing on their forum: Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it. Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you've downloaded HandBrake during this period. If you see a process called "Activity_agent" in the OSX Activity Monitor application. You are infected. HandBrake is a popular, open-source video conversion tool. The team hasn't issued any advisory for Windows users.

Actibity_agent

Do not confuse Activity_agent with "Activity Monitor", which is a perfectly legitimate process and part of the core Mac OS tools.
The trojan was likely named thus in order to maximize the potential for confusion.

It's most likely a legal is (licenses are cheap)

Apple developer licenses are ridiculously cheap when compared to most other companies. It's 99 USD/year for a macOS or iOS license. The 299 USD license is only if you intend to develop in-house apps that you distribute and update internally. The bigger headache for most FOSS teams is that they either have to register the license to an individual or to an organization. Registering under an individual is quick/easy but can be problematic if something happens to that person or they decide to hijack the project (both of which have happened with FOSS projects before). Registering an organization is fairly easy as well but creating and maintaining a legal entity can be a headache depending on where it's based. In most states in the US you have to have a charter, keep minutes, financial reports, etc. Given that it's already a labor of love for most people on the project, finding someone with the time and experience to deal with all of that can be difficult. So most don't.

Summary from Article

[CanadianMacFan]

- HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes on our website or on our Github Wiki which mirrors these: https://github.com/HandBrake/H...

- The Affected Download mirror (download.handbrake.fr) has been shutdown for investigation.

- The Primary Download Mirror and website were unaffected.

- Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don't pass.

- Downloads via the applications built-in updater with 0.10.5 and earlier did not have verification so you should check your system with these older releases

Re:Was It Signed?

[Midnight+Thunder]

Handbrake is not signed, but they are interested in having it signed in the future.

The challenge is they are neither an organisation or an individual developer. To be recognised as a legitimate organisation you need a DUNS and go through the required paper work. This leaves them with the individual developer approach, which would probably require a trusted person, part of the inner team that would sign on behalf of the team. There are risks of course, but not many good alternatives.

I am wondering whether in the future the FSF could act as the necessary 'organisation', but then it is trying to work out the paper work, how to avoid abuse and what the cost would be. Yet another alternative would be for Apple to suggest a workable alternative. Maybe a notion of a team certificate, but with extra background checks? I am sure there are other good ideas out there.