QR codes (sometimes referred to as ‘tags’) which is an abbreviation for ‘Quick Response’ allows mobile users to use a smartphone’s camera to read a barcode (see image opposite – this is the QR code for my blog). A QR code can contain text and or a URL. You may have started seeing these on websites and in magazines. They will be everywhere in time – on advertising boards, TV, websites you visit (e.g some sites might say “click this QR code to see the video”), travel signs, clothes, tickets, coupons, number plates – the list is endless. Then there is of course someone sticking their malicious QR code over an existing QR code. It’s that easy!
I know from traffic on some underground carder forums that QR code tampering is something being discussed, including developing scripts that exploit the QR tags. Android is a particular target given it’s open source nature, high number of users (the next Microsoft maybe?) and lack of app store security control. Users in Russia have already been tricked by a QR code to click on a link and register for a premium premium rate service (PRS). It’s a little more tricky for this to happen in the US as users need to double opt-in before registering for a premium rate SMS service. This PRS example still requires the user to agree or opt-in to the PRS. It’s all about being vigilant right now, however the QR code threat like most online threats will evolve over time.
Malware writers will look to develop QR codes that open the mobile browser (we don’t always see the full URL string on a mobile device unlike on a laptop/desktop) and send you to a rogue website which then uses DLL browser hooking to inject malicious code into your browser which then plants the malware seed into your operating system. The same rules will apply to apps. It’s important to note, malware in most cases will not install unless you have clicked on a URL for example. With more and more users now using mobile banking apps, cybercriminals will look to the QR attack vector to collect sensitive banking details as well as your phones data file.
For now I suggest my readers use a mobile QR scanner that doesn’t automatically take you to a URL, rather than one that autoresolves. Check with your chosen QR vendor for further information.
Safe surfing folks!