Microsoft takes action, disables protocol due to malware abuse, impacting software distribution. Threat actors exploit App Installer feature. (Getty Images)
Application developers who rely on Windows' App Installer feature for distributing software online will need to explore alternative methods as Microsoft has taken action to disable a crucial protocol due to its exploitation by malicious actors.
In response to the misuse by threat actors, Microsoft announced on Thursday that it has deactivated the ms-appinstaller protocol handler by default. This action was prompted by the discovery of at least four groups leveraging this protocol over the past two months to spread malware. This isn't the first time Microsoft has taken such measures; it's the second instance in two years that the tech giant has blocked this protocol due to misuse.
The ms-appinstaller protocol allows developers to utilize links starting with ms-appinstaller:// to initiate Microsoft's App Installer system for facilitating the downloading process. Unfortunately, threat groups and cybercriminals have misused this protocol. Besides threat actors, multiple cybercriminals are offering a malware kit as a service that exploits the MSIX file format. These individuals distribute malicious MSIX application packages, signed and accessed through websites linked with deceitful advertisements for commonly used legitimate software.
Microsoft has highlighted that threat actors likely chose the ms-appinstaller protocol handler because it circumvents safety mechanisms designed to protect users from malware, including Microsoft Defender SmartScreen and browser warnings for executable file downloads.
One of the methods of abuse involves gangs deceiving users who search for legitimate software like Zoom, Tableau, TeamViewer, and AnyDesk via search engines. Victims, upon clicking these seemingly authentic links, are directed to spoofed landing pages resembling the original software providers' pages. These fake pages contain links to malicious installers via the ms-appinstaller protocol. These deceptive pages display misleading pop-up messages, such as "Install Zoom?" with an "Install" button. One way to spot the scam is by noting that the app publisher is listed as "Legion LLC" rather than the legitimate Zoom Communications.
Similarly, another group distributes fake versions of Adobe Acrobat Reader by falsely claiming that the victim's computer needs an update. A pop-up box asks, "Install Adobe Protected PDF Viewer?" An indicator of the fraudulence is the publisher being an unknown entity instead of Adobe.
Experts in information security advise caution, urging individuals to be wary of downloading and installing applications without proper authorization. They emphasize the importance of using the browser's URL bar to verify the legitimacy of a website's domain after clicking a search result link. Furthermore, users are encouraged to ensure that the software they're installing is from a reputable publisher.
Additionally, employing robust authentication processes resistant to phishing attempts can significantly enhance security measures.
