Rogue QR Codes Could Pose A Security Risk

QR codes have loads of handy uses — but like almost everything else in technology, they can also be exploited by the nasty-minded for their own evil schemes. Anti-malware software developer AVG reminds us that scanning a QR code onto your phone when you're not sure of the provenance can be a risky business.

Picture by Mathieu Plourde

QR codes are increasingly being used on outdoor media such as posters, but AVG points out that this could easily be used as a means to divert people to malware-laden sites or to steal personal details:

Malicious QR codes can be easily generated and placed as stickers over the legitimate QR codes for both small and large-scale attacks on personal and financial identity. Printed flyers offering irresistible deals, but accessible only via a QR code, could easily be left in public places. By such simple means, cyber criminals, skilled at using sophisticated attacks like spear phishing or other variants of social engineering, can then use their own malicious QR code to phish or pharm the unsuspecting smartphone user to a web page designed to look as though it is a legitimate advertiser. The cyber criminals will have their own web form with instructions on how to sign-up for a service or competition, or purchase some bargain. By completing the form victims provide them with private details and/or money.

As with most security threats, the key is to have a slightly cynical attitude and also have security measures in place. If you're snapping a QR code in the street, it's fairly easy to check if it's the original.



    Out of curiosity, does anyone here actively scan advertising related QR codes?

    Personally, I've developed a blind-spot for advertising, so there's no way I'd go to the length of stopping, pulling out my phone, starting an app, shooting a QR code, then visiting a site.

    What I'm getting at; is there even any potential for wide-spread abuse here?

      I've never even seen them used for advertising.

      I only ever use them for installing apps/games to my Android phone

      No, but I have scanned in unlabelled ones - you know, one lone QR code sitting above the urinal at eyeheight in the mens room. There's a kind of intrigue with that (is it an underground advertising campaign? a joke? the modern equivalent of 'for a good time, call..'?)

      As a sidenote, it's not generally a good idea to start taking photos at the mens urinal. Men may complain.

        I only scan them if they are in weird places. Scanned one on a random tree the other day

          You are precisely who scammers are looking for...

    I hardly think a cyber criminal is going to get out his dymo label maker and print a QR code then hunt down one on the street and hope that its the right size to be put over the top just to install malware onto an iphone that needs to be signed by apple in the first place to install anything onto, unless which its jailbroken, pfft as if they would go to that much trouble, they would be better off cloning a westpac or paypal site.

      Its not the QR code maker. Its not about installing anything.... Its about the READER, the company that produced that software to read the code, KNOWING you, your phone, your contacts, your location, and so on. Just dont do it.

    I will NEVER scan a QR code unless I specifically write the software that reads that code. There is no way that the people who wrote the app get to know WHAT I am scanning ** as well as ** my phone information, location information, contacts possibly and who knows what else from my phone. Think I am paranoid? You bet. In this day and age of people and companies trying their best to get our personal information and habits - there is no way I am allowing this QR code stuff to slip by.

Join the discussion!

Trending Stories Right Now