11:41 PM

QR Code Malware Picks Up Steam

Attackers tricking users into scanning fake QR codes that lead to malicious sites and apps

As mobile marketers latch onto the convenience and cool-factor of QR codes, hackers are starting to take advantage of these square, scannable bar codes as a new way to distribute malware. Like all mobile attack vectors, it is a new frontier that security researchers say is not extremely prevalent, but which has a lot of potential to wreak havoc if mobile developers and users stand by unaware.

The success behind QR code usage among mobile fans has largely been pinned on its simplicity.

"QR codes are growing in popularity and seem to be popping up everywhere -- magazine ads, newsletters, real-estate signs, newspaper ads, and in trade-show booths," says Paul Henry, security and forensic analyst at Lumension. "In the simplest of terms, a QR code is a 2D bar code that can store data which can then be read by smartphone users. The data is an easy way to direct a user to a particular website with a simple scan of the QR code, but it could also just as easily be a link to a malicious website."

Just point your mobile device's camera on the code and scan it, and the reading will take you to the website or mobile app download that its promoter promises to provide. The difficulty is that you're depending on the honesty of that provider or the assumption that the code hasn't been tampered with to know the destination is legitimate.

"QR codes, while perhaps convenient for the user, clearly open the door to the clever obfuscation of malicious links for would-be bad guys," Henry says.

The simplicity is a double-edged sword because it actually hides the nature of the individual QR code, not giving you any clues as to whether the destination really is good or bad.

"The big problem is that the QR code to a human being is nothing more than 'that little square with a bunch of strange blocks in it.' There's no way to tell what is behind that QR code," says Damon Petraglia, director of forensic and information security services for Chartstone. "And the biggest risk is that people cannot deny their own curiosity. If people see a random QR code that's not connected to anything, just a sticker on the wall, they're going to scan it because they want to know what the heck it is."

Attackers depend on that curiosity and the innate obfuscation of QR codes to craft their attacks.

"Much like URL-shortening services can be and are used maliciously because of the fact that they obscure the real target URL, QR codes can also be used for such deception," says Joe Levy, CTO of Solera Networks. "But QR codes -- typically read by QR code-scanning applications running on smartphones -- provide a direct link to other smartphone capabilities, such as email, SMS, and application installation. So potential attack vectors extend beyond obscured URLs and browser exploits very nearly to the full suite of device capabilities."

The basic idea behind malicious QR codes is to trick people into scanning the code and redirect them to an infected site, malicious app, or phishing site.

The first part -- convincing the user to scan the code in the first place -- is done through a couple of methods.

"You're going to see this in two ways," Petraglia says. "You're going to see the QR code come in through spam-like emails, and you're also going to see them physically distributed around, whether it be flyers in a parking lot or even malicious stickers pasted over different legitimate ads."

From there, the world is the attackers' oyster. They are already using malicious codes to perpetrate their scams in a number of ways. On iOS devices, for example, hackers are repurposing jail-break exploits to send users to websites that will jailbreak the device and install additional malicious malware, says Tomer Teller, security evangelist at Check Point Software Technologies.

"This is essentially a drive-by-download attack, where a user scans a bar code and is redirected to an unknown website," he says. "This website hosts modified exploits of the original jailbreak. Once visited, the user phone will be jailbroken and additional malware could be deployed [such as keyloggers and GPS trackers]."

Because Android allows applications to run in the background and generally offers more app freedom, it is more susceptible to QR code attacks.

"On the Android, the chances of getting infected are often much higher since applications are allowed to do actions such as sending SMS, blocking SMS, making calls, etc.," Teller says. "Criminals are redirecting users to download malicious applications. All a user needs to do is scan a barcode, and it will redirect to a website that will download the Android Application."

In addition, attackers are using QR codes to redirect users to fake websites for phishing.

"A QR code will redirect to a fake bank that will look exactly like your bank. Since most smartphone screens are small, a normal user may not see the difference and will type in his or her [information] and hand it to the attackers," Teller says.

According to Levy, the frequency of these attacks is not yet alarmingly high, but it is definitely worth keeping an eye out for.

"While there have been reports and proofs of concept of malicious QR code use, it is still not a widespread problem, although we should expect this to change as the QR code-capable target audience continues to grow," he says.

One of the biggest mobile evolutions that could make QR code malware really dastardly is the move of entrepreneurs to utilize these codes for increased levels of functionality on our phones, particularly for mobile payments.

"One that I'm sure will attract the attention of malicious actors will be the incipient development of QR-based payment systems, such as we're seeing from LevelUp, Kuapay, and PayPal," Levy says. "As our mobile devices and our wallets continue to converge through such technologies as near field communications [NFC], Bump, and QR, malware authors are bound to prefer these very direct paths to the money. Inventors and authors of these types of services and applications must be held to a very high -- perhaps even highly regulated -- standard. After all, these devices and apps are well on the road to becoming our new currency."

In the interim, though, users and organizations can start protecting themselves from the most basic of QR code attacks by giving themselves some visibility into what they scan. It is all a matter of choosing the right scanning application for the phone.

"Only use QR code reader software that allows the user to confirm the action to be taken --- i.e., visit a website link," Henry says. "If you do not know and trust the link, cancel the action.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/7/2014 | 8:35:10 AM
re: QR Code Malware Picks Up Steam
Yes QR Codes are simply everywhere. Be cautious when you want to scan with your mobile devices. I only scan QR Code images from reliable sources. http://www.yiigo.com/guides/vb...
User Rank: Apprentice
3/2/2012 | 5:39:49 AM
re: QR Code Malware Picks Up Steam
QR codes are a boon for mobile marketers, as they have a Gǣcool factorGǥ
and are convenient for getting attention and traffic to a website,
mobile app or other advertisement. However, these unique square barcodes
have become popular targets for mobile attacks because once a user
scans the QR code with a mobile deviceGs camera there is no indication or guarantee for where they will be taken and whether the destination site or app is safe.-
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.