Microsoft Disables Its Own App Installer After Rapid Ransomware Attacks
Microsoft has recently disabled the download and installation of its ms-appinstaller protocol handler. This is the app that is used by default when installing and uninstalling Microsoft apps.
However, Microsoft had to disable it because reports indicated that hackers had been deploying malware by infecting the app. This happened right after they released Copilot for smartphones.
This is what a security advisory for Microsoft has to say regarding this issue:
The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution.
Moreover, it has been found that hackers have been selling malware and other forms of malicious software on the internet – namely, the Dark Web.
Furthermore, such malware comes in the form of an MSIX file format – which, by default, requires the ms-appinstaller protocol to be installed on a device.
But how are these hackers installing malware on our devices? It seems that they are creating fake ads for various popular Microsoft software.
Therefore, if you click on these genuine-looking ads, you will be redirected to a fake Microsoft website created by the hackers. Then, if you download apps from this fake website, you will get infected.
Moreover, since you will be installing Microsoft apps here, they will automatically use the ms-appinstaller – which triggers the activation of the malware.
But why are hackers using the ms-appinstaller to do so? This is what Microsoft’s security advisory had to say:
Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats.
Currently, Microsoft Security has found four primary threat actors responsible for these malware attacks. They are Storm – 1569, Storm – 1113, Storm – 1674, and Sangria Tempest (AKA FIN7).
Most of these deploy The Black Basta ransomware, especially through fake installs of the Microsoft OneDive app. Therefore, be careful of the websites you visit on the internet and all the apps you download.
