Proton is back: What you need to know about this malware

What is Proton malware?

Proton is one of those types of malware that is hidden in genuine software downloads. It can also hide within software installers that appear to contain genuine apps.

First discovered in February 2017, when an Apple security update prevented the virus from spreading further. But those behind this soon found a way around that. In May, Proton was hidden within a version of the popular DVD ripper tool, Handbrake. Shortly after that avenue was blocked, Proton worked its way into the Elmedia Player and Folx, following a hack of the Eltima Software website.

Determined to spread this malware far and wide, those behind it, Proton got into Mac’s through fake Symantec app. Using black hat SEO tactics, a fake Symantec was used to spread the malware further, encouraging people to download software that would give them the very virus it would apparently find and remove.

When Kaspersky first discovered Proton, it was something they had seen before. Proton behaved and was designed very similar to an earlier malware, known as Calisto. Although Calisto is dead and buried - it spread quite extensively in 2016 - Proton is based on the same source code and has been promoted through the internet in a similar way. Calisto was distributed through a fake Intego Mac Internet Security X9 installer, and some security experts believe this was not the first version of this malware.


What does Proton do?

Although more modern Mac operating systems prevent some of the functions this malware was designed for, Proton can still collect passwords and other sensitive information. Whenever it can, Proton - following in the footsteps of Calisto - will find and record passwords, then sending them back to the command-and-control (C&C) servers.

However, when that isn’t possible - due to changes in the operating system and security updates - Proton simply collects and records passwords in a clear text format. What this means is, with a backdoor open to your Mac and your passwords visible and open to anyone, it creates the perfect opportunity for another virus, trojan, spyware or ransomware to sneak into your Mac and steal this information.

With this data, you could become the victim of identity theft or fraud. Passwords in plain text put your Mac and everything that needs protecting at risk. This is definitely not a problem you want to have, so here is how you detect and remove Proton.


How to remove Proton: The manual way

Security experts have found that the files containing passwords that Proton uncovers are found in the following locations:

~/.calisto/cred.dat

~/Library/VideoFrameworks/.crd

/Library/.cachedir/.crd

To remove this malware manually - or even know whether you’ve been infected (since that is not always going to be obvious) - checking those locations will indicate whether there is a plain text version of your passwords. It is a useful first step. Check this by inputing those commands into Terminal.

If the Terminal command comes back with “no such file or directory,” then you don't need to worry. If not, then these files need to be removed, along with the original infection. This can prove more difficult because the files are always going to be invisible, and there are numerous names they could be hiding under. Malware executable files always deposit themselves in multiple locations, so you might need to search through a few folders within Applications and Library.

Another risk is that attempting to remove malware manually could result in you removing something your Mac needs to operate.


How to remove Proton: CleanMyMac

Thankfully, there is an alternative to attempting to remove this virus manually.

With CleanMyMac X, you can remove Proton, Calisto, and dozens of other password stealing forms of malware.

CleanMyMac X is capable of removing known viruses, malware, adware, spyware, and dozens of other cyber problems. It also cleans your Mac and dramatically improves performance, clearing out - on average - 62GB of junk files from every Mac.

Remove Proton and any other computer viruses with CleanMyMac X:  

  1. Download CleanMyMac X (for free!);
  2. Open the app;
  3. Click the Malware Removal tab;
  4. Click Scan to find any unwanted applications;
  5. Click Remove and they will vanish.

Getting rid of Proton is a smart move. Even if it can’t - or hasn’t yet - transmitted passwords back to those behind it, leaving that information out in the open could easily result in a data breach. Hackers could get into your bank accounts, email accounts, social networks and other sensitive accounts. Closing that door will keep your Mac and accounts safe.

CleanMyMac X
CleanMyMac X

Your Mac. As good as new.