Microsoft has disabled its ms-appinstaller URI scheme (App Installer) due to observed misuse by threat actors for distributing malware. Since mid-November 2023, Microsoft Threat Intelligence detected malicious activity involving financially motivated actors utilizing the ms-appinstaller URI scheme to distribute malware. In response to this threat, Microsoft has disabled the ms-appinstaller protocol handler by default.
The observed threat actor activity exploits the current implementation of the ms-appinstaller protocol handler as an access vector for malware, potentially leading to ransomware distribution. Cybercriminals have been found selling a malware kit as a service, abusing the MSIX file format and ms-appinstaller protocol handler. These threat actors distribute signed malicious MSIX application packages through websites accessed via malicious advertisements, posing as legitimate popular software.
Microsoft highlighted that the ms-appinstaller protocol handler vector was likely chosen by hackers because it can bypass mechanisms designed to protect users from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats. This move is part of Microsoft's ongoing efforts to enhance security measures and protect users from evolving cyber threats.
(With Agency Inputs)
Read also| Microsoft Introduces Paid Subscription for Windows 10 Users Post 2025 End of Support
Read also| Microsoft Launches AI-Powered Copilot App for iOS and iPadOS Devices