Proton is back: What you need to know about this malware

Igor Degtiarenko
Writer and blogger at MacPaw, curious just about everything.

What is Proton malware?

Proton is one of those types of malware that is hidden in genuine software downloads. It can also hide within software installers that appear to contain genuine apps.

First discovered in February 2017 when an Apple security update prevented the virus from spreading further. But those behind this soon found a way around that. In May, Proton was hidden within a version of the popular DVD ripper tool, Handbrake. Shortly after that avenue was blocked, Proton worked its way into the Elmedia Player and Folx following a hack of the Eltima Software website.

Determined to spread this malware far and wide, Proton got into Macs through a fake Symantec app. Using black-hat SEO tactics, a fake Symantec was used to spread the malware further, encouraging people to download software that would give them the very virus it would apparently find and remove.

When first uncovered, Proton behaved similarly to an earlier malware called Calisto. Although Calisto is dead and buried — it spread quite extensively in 2016 — Proton is based on the same source code and has been similarly promoted through the internet. Calisto was distributed through a fake Intego Mac Internet Security X9 installer, and some security experts believe this was not the first version of this malware.

What does Proton do?

Although more modern Mac operating systems prevent some of the functions this malware was designed for, Proton can still collect passwords and other sensitive information. Whenever it can, Proton — following in the footsteps of Calisto — will find and record passwords to then send them back to the command-and-control (C&C) servers.

However, when that isn’t possible — due to changes in the operating system and security updates — Proton simply collects and records passwords in a clear text format. What this means is that with a backdoor open to your Mac and your passwords visible and open to anyone, it creates the perfect opportunity for another virus, Trojan, spyware, or ransomware to sneak into your Mac and steal this information.

With this data, you could become the victim of identity theft or fraud. Passwords in plain text put your Mac and everything that needs protecting at risk. This is definitely not a problem you want to have, so here is how you detect and remove Proton.

How to remove Proton: The manual way

Security experts have found that the files containing passwords that Proton uncovers are found in the following locations:

~/.calisto/cred.dat

~/Library/VideoFrameworks/.crd

/Library/.cachedir/.crd

To remove this malware manually or even know whether you’ve been infected (since that is not always noticeable), check those locations to find out whether there is a plain text version of your passwords. It is a helpful first step. Input those commands into Terminal to determine if your Mac’s infected.

If the Terminal command comes back with “no such file or directory,” then you don’t need to worry. If not, then these files need to be removed, along with the original infection. This can prove more difficult because the files are always going to be invisible, and there are numerous names they could be hiding under. Malware executable files always deposit themselves in multiple locations, so you might need to search through a few folders within Applications and Library.

Another risk is that attempting to remove malware manually could result in you removing something your Mac needs to operate.

How to remove Proton: CleanMyMac

Thankfully, there is an alternative to attempting to remove this virus manually.

With CleanMyMac X, you can remove Proton, Calisto, and dozens of other password-stealing forms of malware.

Malware removal module of CleanMyMacX

CleanMyMac X is capable of removing known viruses, malware, adware, spyware, and dozens of other cyber problems. It also cleans your Mac and dramatically improves performance, clearing out — on average — 62GB of junk files from every Mac.

Remove Proton and any other computer viruses with CleanMyMac X:  

  1. Download CleanMyMac X (for free).
  2. Open the app.
  3. Click the Malware Removal tab.
  4. Click Scan to find any unwanted applications.
  5. Click Remove, and they will vanish.
CleanMyMac X looking for malware

Getting rid of Proton is a smart move. Even if it can’t or hasn’t yet transmitted passwords back to those behind it, leaving that information out in the open could easily result in a data breach. Hackers could get into your bank accounts, email accounts, social networks, and other sensitive accounts. Closing that door will keep your Mac and accounts safe.

Did you enjoy this post?
Share it or subscribe to our newsletter
Igor Degtiarenko
Writer and blogger at MacPaw, curious just about everything.
May 15, 2019
Updated: March 06, 2023
Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.

Free Download

CleanMy® PC will not receive new features and regular updates.

What does it mean?

  • CleanMy® PC remains safe, stable, and fully functional on all PCs that meet the system requirements.
  • Windows 11 is the last operating system to be supported.
  • Only critical bugs in CleanMy® PC will be fixed in the future; no new features or improvements will be added.
Read the full information here. Download Anyway