After detecting App Installer abuse for malware distribution for several months, Microsoft disabled the protocol handler by default. The tech giant took this initiative in a bid to protect the customers from further threats.
Microsoft App Installer Disabled By Default
According to a recent blog post, Microsoft has disabled the App Installer (ms-appinstaller) protocol handler by default for its users.
The App Installer – precisely, ms-appinstaller URI (Uniform Resource Identifier) scheme (protocol) – facilitated users in direct installation of apps from the internet. It streamlined app installations, completing the process faster while using minimal disk resources.
Microsoft launched this feature with some newer versions of Windows 10. However, the tech giant had to disable it by default as it detected numerous exploitations of the protocol from different malware groups.
As elaborated, the firm observed the threat actors abusing the current implementation of the ms-appinstaller protocol handler for malware and ransomware distribution. They even detected the hacker groups distributing malware kits tailored to abuse the feature for stealth malware installations. Microsoft named some financially motivated threat actor groups, including the Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, actively abusing the feature.
Microsoft found the feature abuse and the subsequent malware campaigns to be around since mid-November 2023. The threat actors used various techniques to distribute malware, predominantly relying on social engineering and phishing.
The tech giant observed numerous malicious websites to be distributing the malware by impersonating legit software, such as Zoom, TeamViewer, Tableau and AnyDesk. Whereas, in case of Storm-1674, the threat actors distributed the malicious web page links via Teams to trick users.
After detecting these malware campaigns going around with an exponential rise, the tech giant decided to disable the feature to prevent malware abuse. Hence, Microsoft disabled the ms-appinstaller URI scheme handler by default in App Installer build 1.21.3421.0.
While this move will likely prevent the threat, Microsoft still advised the users to stay vigilant while interacting with web links.
Let us know your thoughts in the comments.
