After months of detecting abuse of app installers for malware distribution, Microsoft has disabled the protocol handler by default. The tech giant took this initiative to protect its customers from further threats.
Microsoft App Installer is disabled by default
According to recent information, blog postMicrosoft disables the App Installer (ms-appinstaller) protocol handler for users by default.
The app installer, or more precisely the ms-appinstaller Uniform Resource Identifier (URI) scheme (protocol), allows users to install apps directly from the Internet. App installation is streamlined and the process completes faster while using minimal disk resources.
Microsoft has launched this feature in some new versions of Windows 10. However, a number of exploits of this protocol by various malware groups were detected, forcing the tech giant to disable this feature by default.
As detailed, the company has observed that threat actors are exploiting the current implementation of the ms-appinstaller protocol handler to distribute malware and ransomware. Additionally, we also detected a group of hackers distributing malware kits tailored to exploit this feature to stealthly install his malware. Microsoft cited several financially motivated attacker groups that are actively exploiting this feature, including Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674.
Microsoft discovered that exploits of this feature and subsequent malware campaigns have been present since mid-November 2023. The attackers used a variety of techniques to distribute the malware, primarily relying on social engineering and phishing.
The tech giant observed a number of malicious websites distributing malware by masquerading as legitimate software such as Zoom, TeamViewer, Tableau, and AnyDesk. Meanwhile, in the case of Storm-1674, the attacker distributed a link to a malicious web page via his Teams to trick users.
After detecting a sharp increase in these malware campaigns, the tech giant decided to disable this feature to prevent malware from being exploited. Therefore, Microsoft has disabled the ms-appinstaller URI scheme handler by default in App Installer build 1.21.3421.0.
Although this measure will likely prevent the threat, Microsoft advised users to always exercise caution when interacting with web links.
Let us know what you think in the comments.