Dec 12, 2011

How much of a threat are QR codes to smartphone users?

There was a piece on NPR today about the use of QR codes as a vehicle for malware. Apparently, the QR codes are used to push Android users into downloading malware on the Android market. There was one instance where the app that people were fooled into downloading sent off multiple text messages to a number that charged users $5 per message. Surprise!  I would hate to have to explain that bill to my supervisor!  :-( 

I think I can keep myself from downloading apps based on a QR code, but are there other risks directly related to QR codes? Can just viewing a QR code result in a virus or malware showing up on our mobile devices?


I think your greatest threat is phishing through use of a fake look-a-like website, or using a cloned website to attack reader software or install malware  QR Codes could also potentially be used as an attack vector for SQL or command injection on reader software.  There have been similar attacks on systems using RFID chips.  The nice thing is, outside of a relatively narrow range of tasks, there isn't a lot of need to read QR Codes using your smartphone.  The vast majority of QR Codes that are encountered daily are used for advertising and marketing, and while I can't speak for others, I am hit with enough adverts daily without the need to do the companies' work for them, especially if it carries a security risk along with the information.  I don't think the level of risk is very high at the moment, but it may be high enough to think about those QR codes before you scan them.    

Hi jdixon,

See the last part of this article that covers potential risks related to QR codes. It certainly seems to be something to take seriously.

QR Code Risks

"Malicious QR codes combined with a permissive reader can put a computer's contents and user's privacy at risk. They are easily created and may be affixed over legitimate QR codes.[21] On a smartphone, the reader's many permissions may allow use of the camera, full internet access, read/write contact data, GPS, read browser history, read/write local storage, and global system changes.[22][23][24]

Risks include linking to dangerous websites with browser exploits, enabling the microphone/camera/GPS and then streaming those feeds to a remote server, analysis of sensitive data (passwords, files, contacts, transactions),[25] and sending email/SMS/IM messages or DDOS packets as part of a botnet, corrupting privacy settings, stealing identity,[26] and even containing malicious logic themselves such as JavaScript[27] or a virus.[28][29] These actions may occur in the background while the user only sees the reader opening a seemingly harmless webpage.[30]"
Answer this