The success behind QR code usage among mobile fans has largely been pinned on its simplicity.
"QR codes are growing in popularity and seem to be popping up everywhere -- magazine ads, newsletters, real-estate signs, newspaper ads, and in trade-show booths," says Paul Henry, security and forensic analyst at Lumension. "In the simplest of terms, a QR code is a 2D bar code that can store data which can then be read by smartphone users. The data is an easy way to direct a user to a particular website with a simple scan of the QR code, but it could also just as easily be a link to a malicious website."
Just point your mobile device's camera on the code and scan it, and the reading will take you to the website or mobile app download that its promoter promises to provide. The difficulty is that you're depending on the honesty of that provider or the assumption that the code hasn't been tampered with to know the destination is legitimate.
"QR codes, while perhaps convenient for the user, clearly open the door to the clever obfuscation of malicious links for would-be bad guys," Henry says.
The simplicity is a double-edged sword because it actually hides the nature of the individual QR code, not giving you any clues as to whether the destination really is good or bad.
"The big problem is that the QR code to a human being is nothing more than 'that little square with a bunch of strange blocks in it.' There's no way to tell what is behind that QR code," says Damon Petraglia, director of forensic and information security services for Chartstone. "And the biggest risk is that people cannot deny their own curiosity. If people see a random QR code that's not connected to anything, just a sticker on the wall, they're going to scan it because they want to know what the heck it is."
Attackers depend on that curiosity and the innate obfuscation of QR codes to craft their attacks.
"Much like URL-shortening services can be and are used maliciously because of the fact that they obscure the real target URL, QR codes can also be used for such deception," says Joe Levy, CTO of Solera Networks. "But QR codes -- typically read by QR code-scanning applications running on smartphones -- provide a direct link to other smartphone capabilities, such as email, SMS, and application installation. So potential attack vectors extend beyond obscured URLs and browser exploits very nearly to the full suite of device capabilities."
The basic idea behind malicious QR codes is to trick people into scanning the code and redirect them to an infected site, malicious app, or phishing site.
The first part -- convincing the user to scan the code in the first place -- is done through a couple of methods.
"You're going to see this in two ways," Petraglia says. "You're going to see the QR code come in through spam-like emails, and you're also going to see them physically distributed around, whether it be flyers in a parking lot or even malicious stickers pasted over different legitimate ads."
From there, the world is the attackers' oyster. They are already using malicious codes to perpetrate their scams in a number of ways. On iOS devices, for example, hackers are repurposing jail-break exploits to send users to websites that will jailbreak the device and install additional malicious malware, says Tomer Teller, security evangelist at Check Point Software Technologies.
"This is essentially a drive-by-download attack, where a user scans a bar code and is redirected to an unknown website," he says. "This website hosts modified exploits of the original jailbreak. Once visited, the user phone will be jailbroken and additional malware could be deployed [such as keyloggers and GPS trackers]."
Because Android allows applications to run in the background and generally offers more app freedom, it is more susceptible to QR code attacks.
"On the Android, the chances of getting infected are often much higher since applications are allowed to do actions such as sending SMS, blocking SMS, making calls, etc.," Teller says. "Criminals are redirecting users to download malicious applications. All a user needs to do is scan a barcode, and it will redirect to a website that will download the Android Application."
In addition, attackers are using QR codes to redirect users to fake websites for phishing.
"A QR code will redirect to a fake bank that will look exactly like your bank. Since most smartphone screens are small, a normal user may not see the difference and will type in his or her [information] and hand it to the attackers," Teller says.
According to Levy, the frequency of these attacks is not yet alarmingly high, but it is definitely worth keeping an eye out for.
"While there have been reports and proofs of concept of malicious QR code use, it is still not a widespread problem, although we should expect this to change as the QR code-capable target audience continues to grow," he says.
One of the biggest mobile evolutions that could make QR code malware really dastardly is the move of entrepreneurs to utilize these codes for increased levels of functionality on our phones, particularly for mobile payments.
"One that I'm sure will attract the attention of malicious actors will be the incipient development of QR-based payment systems, such as we're seeing from LevelUp, Kuapay, and PayPal," Levy says. "As our mobile devices and our wallets continue to converge through such technologies as near field communications [NFC], Bump, and QR, malware authors are bound to prefer these very direct paths to the money. Inventors and authors of these types of services and applications must be held to a very high -- perhaps even highly regulated -- standard. After all, these devices and apps are well on the road to becoming our new currency."
In the interim, though, users and organizations can start protecting themselves from the most basic of QR code attacks by giving themselves some visibility into what they scan. It is all a matter of choosing the right scanning application for the phone.
"Only use QR code reader software that allows the user to confirm the action to be taken --- i.e., visit a website link," Henry says. "If you do not know and trust the link, cancel the action.”
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.