Eltima’s Elmedia Player has been infected with malware – updated, now clear again

Update: the article below remains important if you downloaded an affected product before yesterday (19 October) afternoon. Eltima has now restored normal function, and their downloads are free from malware again.

If you have downloaded a copy of Eltima’s Elmedia Player from Eltima’s website in the last few days, you should check your Mac as a matter of urgency: there’s a chance that it brought with it a copy of Proton malware, according to a report just posted by ESET.

Infected versions of Elmedia Player were discovered on 19 October 2017 in downloads from Eltima. They contain two new versions of Proton, dubbed OSX/Proton.C and OSX/Proton.D, which do not appear to be detected yet by Apple’s built-in malware protection XProtect. These include persistent components which open a back door, and can steal information about macOS, browser history and login information, some cryptocurrency wallets, 1Password data, and more.

One mark of infection is the presence of two new components in /Library: /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist is the visible property list file, and /Library/.rand/updateragent.app is hidden. Further details are given in the ESET article.

Components are signed using the developer IDs of Clifton Grimm (9H35WM5TA5), rather than Eltima, and Apple has apparently revoked that now.

All good anti-virus products should detect this now, or very shortly, and Eltima resumed serving uninfected software by the afternoon of 19 October.

Thanks to Phil Stokes at Sqwarq for pointing this out: he reports that Sqwarq’s DetectX has this covered.