Microsoft takes action, disables protocol due to malware abuse, impacting software distribution. Threat actors exploit App Installer feature. (Getty Images)


December 30, 2023

Application developers who rely on Windows' App Installer feature for distributing software online will need to explore alternative methods as Microsoft has taken action to disable a crucial protocol due to its exploitation by malicious actors.

In response to the misuse by threat actors, Microsoft announced on Thursday that it has deactivated the ms-appinstaller protocol handler by default. This action was prompted by the discovery of at least four groups leveraging this protocol over the past two months to spread malware. This isn't the first time Microsoft has taken such measures; it's the second instance in two years that the tech giant has blocked this protocol due to misuse.

The ms-appinstaller protocol allows developers to utilize links starting with ms-appinstaller:// to initiate Microsoft's App Installer system for facilitating the downloading process. Unfortunately, threat groups and cybercriminals have misused this protocol. Besides threat actors, multiple cybercriminals are offering a malware kit as a service that exploits the MSIX file format. These individuals distribute malicious MSIX application packages, signed and accessed through websites linked with deceitful advertisements for commonly used legitimate software.

Microsoft has highlighted that threat actors likely chose the ms-appinstaller protocol handler because it circumvents safety mechanisms designed to protect users from malware, including Microsoft Defender SmartScreen and browser warnings for executable file downloads.

One of the methods of abuse involves gangs deceiving users who search for legitimate software like Zoom, Tableau, TeamViewer, and AnyDesk via search engines. Victims, upon clicking these seemingly authentic links, are directed to spoofed landing pages resembling the original software providers' pages. These fake pages contain links to malicious installers via the ms-appinstaller protocol. These deceptive pages display misleading pop-up messages, such as "Install Zoom?" with an "Install" button. One way to spot the scam is by noting that the app publisher is listed as "Legion LLC" rather than the legitimate Zoom Communications.

Similarly, another group distributes fake versions of Adobe Acrobat Reader by falsely claiming that the victim's computer needs an update. A pop-up box asks, "Install Adobe Protected PDF Viewer?" An indicator of the fraudulence is the publisher being an unknown entity instead of Adobe.

Experts in information security advise caution, urging individuals to be wary of downloading and installing applications without proper authorization. They emphasize the importance of using the browser's URL bar to verify the legitimacy of a website's domain after clicking a search result link. Furthermore, users are encouraged to ensure that the software they're installing is from a reputable publisher.

Additionally, employing robust authentication processes resistant to phishing attempts can significantly enhance security measures.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

You may also like

Bitcoin Investor Buys an Entire SpaceX Flight for the Ultimate Polar Adventure

A bold new chapter in space tourism unfolded as Chun Wang, a Bitcoin investor and entrepreneur, launched into orbit on....

Elon Musk’s xAI Acquires X in $33 Billion Stock Deal

Elon Musk’s artificial intelligence startup, xAI, has officially taken over his social media platform, X, in a deal valued at....

Trump Considers Lowering Tariffs to Seal TikTok Deal

Former U.S. President Donald Trump signalled on Wednesday that he might reduce tariffs on China to facilitate the sale of....

U.S. Robotics Firms Urge National Strategy to Compete China

American robotics companies are calling for a national U.S. robotics strategy to strengthen the industry and maintain a competitive edge....

Waymo Plans Self-Driving Taxi Service in Washington by 2026

Alphabet’s autonomous taxi service, Waymo, is expanding to Washington, D.C., with plans to launch in 2026. The announcement, made on....

Trump Aides Used Signal for Secret War Talks – What to Know

Top officials from the Trump administration reportedly used the encrypted messaging app Signal to discuss military plans, sparking concerns over....

PsiQuantum Secures $750M to Advance Quantum Computing

According to sources, Quantum computing startup PsiQuantum is securing at least $750 million in funding, pushing its valuation to $6....

Are We Ready to Mine Metals from Space? The Future of Asteroid Mining

Asteroid Mining: A Sci-Fi Dream or an Inevitable Future? For decades, space enthusiasts and scientists have imagined a future where....

Nvidia CEO Surprised By Public Quantum Computing Companies

Nvidia CEO Jensen Huang admitted he was unaware that publicly traded quantum computing firms existed when he previously commented on....

Tesla Faces Crisis: Cybertruck Recall & Musk’s Trump Ties

Tesla and its CEO Elon Musk are in hot water as controversy swirls around the company. One of Tesla’s strongest....

Humanoid Robots Could Arrive Sooner Than Expected, Says Nvidia CEO

The world may be closer to a robotics revolution than most people think. Nvidia CEO Jensen Huang believes humanoid robots....

Nvidia’s AI Vision: Jensen Huang Unveils Future at GTC 2025

Nvidia CEO Jensen Huang took center stage at the GTC 2025 conference, often dubbed “AI Woodstock,” to discuss the rapid....