Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:41 PM

QR Code Malware Picks Up Steam

Attackers tricking users into scanning fake QR codes that lead to malicious sites and apps

As mobile marketers latch onto the convenience and cool-factor of QR codes, hackers are starting to take advantage of these square, scannable bar codes as a new way to distribute malware. Like all mobile attack vectors, it is a new frontier that security researchers say is not extremely prevalent, but which has a lot of potential to wreak havoc if mobile developers and users stand by unaware.

The success behind QR code usage among mobile fans has largely been pinned on its simplicity.

"QR codes are growing in popularity and seem to be popping up everywhere -- magazine ads, newsletters, real-estate signs, newspaper ads, and in trade-show booths," says Paul Henry, security and forensic analyst at Lumension. "In the simplest of terms, a QR code is a 2D bar code that can store data which can then be read by smartphone users. The data is an easy way to direct a user to a particular website with a simple scan of the QR code, but it could also just as easily be a link to a malicious website."

Just point your mobile device's camera on the code and scan it, and the reading will take you to the website or mobile app download that its promoter promises to provide. The difficulty is that you're depending on the honesty of that provider or the assumption that the code hasn't been tampered with to know the destination is legitimate.

"QR codes, while perhaps convenient for the user, clearly open the door to the clever obfuscation of malicious links for would-be bad guys," Henry says.

The simplicity is a double-edged sword because it actually hides the nature of the individual QR code, not giving you any clues as to whether the destination really is good or bad.

"The big problem is that the QR code to a human being is nothing more than 'that little square with a bunch of strange blocks in it.' There's no way to tell what is behind that QR code," says Damon Petraglia, director of forensic and information security services for Chartstone. "And the biggest risk is that people cannot deny their own curiosity. If people see a random QR code that's not connected to anything, just a sticker on the wall, they're going to scan it because they want to know what the heck it is."

Attackers depend on that curiosity and the innate obfuscation of QR codes to craft their attacks.

"Much like URL-shortening services can be and are used maliciously because of the fact that they obscure the real target URL, QR codes can also be used for such deception," says Joe Levy, CTO of Solera Networks. "But QR codes -- typically read by QR code-scanning applications running on smartphones -- provide a direct link to other smartphone capabilities, such as email, SMS, and application installation. So potential attack vectors extend beyond obscured URLs and browser exploits very nearly to the full suite of device capabilities."

The basic idea behind malicious QR codes is to trick people into scanning the code and redirect them to an infected site, malicious app, or phishing site.

The first part -- convincing the user to scan the code in the first place -- is done through a couple of methods.

"You're going to see this in two ways," Petraglia says. "You're going to see the QR code come in through spam-like emails, and you're also going to see them physically distributed around, whether it be flyers in a parking lot or even malicious stickers pasted over different legitimate ads."

From there, the world is the attackers' oyster. They are already using malicious codes to perpetrate their scams in a number of ways. On iOS devices, for example, hackers are repurposing jail-break exploits to send users to websites that will jailbreak the device and install additional malicious malware, says Tomer Teller, security evangelist at Check Point Software Technologies.

"This is essentially a drive-by-download attack, where a user scans a bar code and is redirected to an unknown website," he says. "This website hosts modified exploits of the original jailbreak. Once visited, the user phone will be jailbroken and additional malware could be deployed [such as keyloggers and GPS trackers]."

Because Android allows applications to run in the background and generally offers more app freedom, it is more susceptible to QR code attacks.

"On the Android, the chances of getting infected are often much higher since applications are allowed to do actions such as sending SMS, blocking SMS, making calls, etc.," Teller says. "Criminals are redirecting users to download malicious applications. All a user needs to do is scan a barcode, and it will redirect to a website that will download the Android Application."

In addition, attackers are using QR codes to redirect users to fake websites for phishing.

"A QR code will redirect to a fake bank that will look exactly like your bank. Since most smartphone screens are small, a normal user may not see the difference and will type in his or her [information] and hand it to the attackers," Teller says.

According to Levy, the frequency of these attacks is not yet alarmingly high, but it is definitely worth keeping an eye out for.

"While there have been reports and proofs of concept of malicious QR code use, it is still not a widespread problem, although we should expect this to change as the QR code-capable target audience continues to grow," he says.

One of the biggest mobile evolutions that could make QR code malware really dastardly is the move of entrepreneurs to utilize these codes for increased levels of functionality on our phones, particularly for mobile payments.

"One that I'm sure will attract the attention of malicious actors will be the incipient development of QR-based payment systems, such as we're seeing from LevelUp, Kuapay, and PayPal," Levy says. "As our mobile devices and our wallets continue to converge through such technologies as near field communications [NFC], Bump, and QR, malware authors are bound to prefer these very direct paths to the money. Inventors and authors of these types of services and applications must be held to a very high -- perhaps even highly regulated -- standard. After all, these devices and apps are well on the road to becoming our new currency."

In the interim, though, users and organizations can start protecting themselves from the most basic of QR code attacks by giving themselves some visibility into what they scan. It is all a matter of choosing the right scanning application for the phone.

"Only use QR code reader software that allows the user to confirm the action to be taken --- i.e., visit a website link," Henry says. "If you do not know and trust the link, cancel the action.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/7/2014 | 8:35:10 AM
re: QR Code Malware Picks Up Steam
Yes QR Codes are simply everywhere. Be cautious when you want to scan with your mobile devices. I only scan QR Code images from reliable sources. http://www.yiigo.com/guides/vb...
User Rank: Apprentice
3/2/2012 | 5:39:49 AM
re: QR Code Malware Picks Up Steam
QR codes are a boon for mobile marketers, as they have a Gǣcool factorGǥ
and are convenient for getting attention and traffic to a website,
mobile app or other advertisement. However, these unique square barcodes
have become popular targets for mobile attacks because once a user
scans the QR code with a mobile deviceGs camera there is no indication or guarantee for where they will be taken and whether the destination site or app is safe.-
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...