Microsoft takes action, disables protocol due to malware abuse, impacting software distribution. Threat actors exploit App Installer feature. (Getty Images)


December 30, 2023

Application developers who rely on Windows' App Installer feature for distributing software online will need to explore alternative methods as Microsoft has taken action to disable a crucial protocol due to its exploitation by malicious actors.

In response to the misuse by threat actors, Microsoft announced on Thursday that it has deactivated the ms-appinstaller protocol handler by default. This action was prompted by the discovery of at least four groups leveraging this protocol over the past two months to spread malware. This isn't the first time Microsoft has taken such measures; it's the second instance in two years that the tech giant has blocked this protocol due to misuse.

The ms-appinstaller protocol allows developers to utilize links starting with ms-appinstaller:// to initiate Microsoft's App Installer system for facilitating the downloading process. Unfortunately, threat groups and cybercriminals have misused this protocol. Besides threat actors, multiple cybercriminals are offering a malware kit as a service that exploits the MSIX file format. These individuals distribute malicious MSIX application packages, signed and accessed through websites linked with deceitful advertisements for commonly used legitimate software.

Microsoft has highlighted that threat actors likely chose the ms-appinstaller protocol handler because it circumvents safety mechanisms designed to protect users from malware, including Microsoft Defender SmartScreen and browser warnings for executable file downloads.

One of the methods of abuse involves gangs deceiving users who search for legitimate software like Zoom, Tableau, TeamViewer, and AnyDesk via search engines. Victims, upon clicking these seemingly authentic links, are directed to spoofed landing pages resembling the original software providers' pages. These fake pages contain links to malicious installers via the ms-appinstaller protocol. These deceptive pages display misleading pop-up messages, such as "Install Zoom?" with an "Install" button. One way to spot the scam is by noting that the app publisher is listed as "Legion LLC" rather than the legitimate Zoom Communications.

Similarly, another group distributes fake versions of Adobe Acrobat Reader by falsely claiming that the victim's computer needs an update. A pop-up box asks, "Install Adobe Protected PDF Viewer?" An indicator of the fraudulence is the publisher being an unknown entity instead of Adobe.

Experts in information security advise caution, urging individuals to be wary of downloading and installing applications without proper authorization. They emphasize the importance of using the browser's URL bar to verify the legitimacy of a website's domain after clicking a search result link. Furthermore, users are encouraged to ensure that the software they're installing is from a reputable publisher.

Additionally, employing robust authentication processes resistant to phishing attempts can significantly enhance security measures.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

You may also like

EV Interest Dips Among Canadians for Third Year Straight

A recent AutoTrader survey reveals that interest in electric vehicles (EVs) among Canadians is steadily declining, despite a noticeable drop....

Nations Boost Digital Defences as Cyber Threats Grow

In a troubling sign of the times, hackers backed by Russia’s government infiltrated a water facility in the small Texas....

Google to Challenge Part of US Court's Ruling in Monopoly Case

Google, part of Alphabet Inc., has announced plans to appeal a portion of the recent court ruling in the ongoing....

Google Faces £5B UK Lawsuit Over Search Engine Control

Google is now facing a massive £5 billion lawsuit in the United Kingdom, accusing the tech giant of using its....

Meta CEO Zuckerberg eyed Instagram split in 2018, email reveals

According to an internal email revealed during an ongoing antitrust trial, Meta CEO Mark Zuckerberg considered splitting Instagram from Facebook....

Meta’s Monopoly Trial Begins: What’s at Stake for Instagram and WhatsApp

In a major legal showdown, Meta CEO Mark Zuckerberg appeared in court on Monday as part of a historic antitrust....

 Future Legislation Must Address AI’s Role in News Compensation

As the media landscape evolves, researchers in Canada suggest future laws aimed at balancing the power between tech giants and....

Ireland Investigates Musk’s X Over AI Data Collection Practices

Ireland’s Data Protection Commission (DPC) has launched a formal investigation into Elon Musk’s platform X, formerly known as Twitter, over....

Google Cuts Prices for U.S. Government to Compete with Microsoft

In a bold move to expand its presence in the public sector, Google is now offering deep discounts on its....

Alphabet Sticks to $75B Spending Plan Amid Tariff Concerns

Alphabet, the parent company of Google, has confirmed its decision to invest a staggering $75 billion in 2025, mainly to....

TSMC Faces Over $1B Fine Over Huawei Chip Link: US Probe

Taiwan’s leading chipmaker, TSMC, may be hit with a fine of over $1 billion after a U.S. investigation revealed one....

Shopify CEO: AI Skills Now a Must for All Employees

Shopify is taking artificial intelligence more seriously than ever before. In a recent internal memo, CEO Tobi Lütke told employees....