Microsoft Takes Action: Disables 'App Installer' Used by Hackers for Malware Distribution

The observed threat actor activity exploits the current implementation of the ms-appinstaller protocol handler as an access vector for malware, potentially leading to ransomware distribution.

Microsoft has disabled its ms-appinstaller URI scheme (App Installer) due to observed misuse by threat actors for distributing malware. Since mid-November 2023, Microsoft Threat Intelligence detected malicious activity involving financially motivated actors utilizing the ms-appinstaller URI scheme to distribute malware. In response to this threat, Microsoft has disabled the ms-appinstaller protocol handler by default.

The observed threat actor activity exploits the current implementation of the ms-appinstaller protocol handler as an access vector for malware, potentially leading to ransomware distribution. Cybercriminals have been found selling a malware kit as a service, abusing the MSIX file format and ms-appinstaller protocol handler. These threat actors distribute signed malicious MSIX application packages through websites accessed via malicious advertisements, posing as legitimate popular software.

Advertisement

Microsoft highlighted that the ms-appinstaller protocol handler vector was likely chosen by hackers because it can bypass mechanisms designed to protect users from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats. This move is part of Microsoft's ongoing efforts to enhance security measures and protect users from evolving cyber threats.

(With Agency Inputs)

Advertisement

Read also| Microsoft Introduces Paid Subscription for Windows 10 Users Post 2025 End of Support

Read also| Microsoft Launches AI-Powered Copilot App for iOS and iPadOS Devices

Advertisement

tags
Advertisement