MacBook Proton: Data-thieving trojan hits Elmedia video player

Affected users urged to conduct complete OS reinstall

Mac users who recently downloaded Elmedia Player onto their devices may have unwittingly exposed their system details, cryptocurrency wallets, and password data, after it emerged hackers had injected malware into the popular freeware video player.

According to research published by the ESET security community, Eltima, the makers of Elmedia Player, have been distributing a version of their application trojanized with the OSX/Proton malware.

The backdoor attack was confirmed on October 19, and Eltima published an announcement detailing the event shortly after.

ESET said it advises anyone who recently downloaded Elmedia Player – or the company’s Folx download manager and torrent client – to verify if their system has been compromised by testing for the presence of any of the following file or directory:

/tmp/Updater.app/
/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist
/Library/.rand/
/Library/.rand/updateragent.app/

“If any of them exists, it means the trojanized Elmedia Player or Folx application was executed and that OSX/Proton is most likely running,” ESET stated.

Fortunately, the window of infection is relatively small. Eltima said the trojan package only affected users who downloaded the software on October 19 – and only then when done so directly from its own website.

However, the presence of any of the files above is an indication that your system has been infected by the trojanized application, which means OSX/Proton is likely to be hoovering up a wide range of valuable personal data, including operating system details, browser information such as cookies and bookmarks, cryprocurrency wallets, SSH private data, macOS keychain data, VPN configuration, and password data.

As with any compromised administrator account, ESET said a full OS reinstall is the only sure way to get rid of the malware.

“If you downloaded that software on October 19 before 3:15pm EDT and run it, you are likely compromised,” stated ESET. “Victims should also assume at least all the secrets outlined are compromised and take appropriate measures to invalidate them.”

With a reported one million users as of August 2017, Elmedia is marketed as a “super versatile” video app. The multi-format video player supports FLV, MP4, AVI, MOV, DAT, MKV, MP3, and FLAC, among others, and also includes an audio auto-sync feature.

OSX/Proton is the latest example of hackers’ resurgent interest in Mac-oriented trojans. Last year, the Mac Bittorrent client Transmission was twice abused to spread malware: first the OSX/KeRanger ransomware followed by OSX/Keydnap password stealer.

This year, the Handbrake video-transcoder application was found bundled with OSX/Proton.