Since the release of Windows 10 (Fall Creators Update), Microsoft has provided a convenient way for users to install apps through a web page called App Installer, which involves clicking on a link starting with “ms-appinstaller” URL (details). Behind the scenes, this process installs files in the new MSIX package format used in Windows 10.
However, the latest discovery by Microsoft Threat Intelligence’s security team has revealed that hackers are using the ms-appinstaller channel to distribute malware. One example of their tactics is creating fake web pages that mimic popular apps like Zoom or Adobe, then employing SEO techniques to rank high on search engines or purchasing ads to deceive users into clicking on the links and installing apps on Windows immediately. By examining the installation page, you can notice that the app’s creator name is different from Zoom, for instance.
In response to this threat, Microsoft has taken preliminary measures by defaulting the installation through ms-appinstaller, in order to mitigate the malware distribution (users now have to download MSIX files and install them directly instead). They have also updated the data in Microsoft Defender to recognize and combat these malware variants.
This incident of malware being distributed through ms-appinstaller has occurred in the past, prompting Microsoft to temporarily disable ms-appinstaller in February 2022 before reintroducing it after successfully eliminating the old malware gang. However, as this channel has once again become a source of potential issues, we need to wait and see what Microsoft’s long-term solution will be. Will they permanently disable it (as the default option) or opt for another remedy?
Source: Microsoft, Microsoft, BleepingComputer
TLDR: Microsoft has discovered that hackers are exploiting the ms-appinstaller channel to distribute malware by creating fake app web pages and employing SEO techniques. Microsoft has taken initial measures to protect users, such as disabling ms-appinstaller by default and updating Microsoft Defender. However, it remains to be seen what their long-term solution will be to address this ongoing threat.
Leave a Comment