Can QR Codes Spread Computer Viruses?

APCUG's picture

Any doubts I may have had about the viability of QR codes have evaporated. You know a new technology is catching on when malware authors start using it to snare unwary users. Read on to learn how those funny black squares can carry a nasty (and expensive) payload...

QR codes are squares of black and white patterns that encode the URLs of Web sites in a format that can be scanned and deciphered by smartphones equipped with the right apps. Instead of typing a URL into your phone's browser, you can just snap a picture of a QR code and be whisked to an ad, an informative Web page... or a malicious site that silently downloads a virus, rootkit, or trojan to your phone.

Kasperky Labs has detected two samples of malware delivered via QR codes, both targeting Android phones. One of them sends SMS messages from the infected phone to a premium-priced number; each text message costs the victim six dollars! Other types of malware can scoop up your contacts list, send spam emails in your name, and wreak other sorts of mischief. (https://www.securelist.com/en/blog/208193145/Malicious_QR_Codes_Pushing_Android_Malware)

Can a QR code itself contain malware? Theoretically, yes, but it wouldn't do much. A QR code can contain only a limited amount of data: 7089 numeric characters or 4296 alphanumeric characters. You can't write much of a program in that space. But a QR code can easily take you to a malicious site.

Humans cannot tell one QR code from another, generally speaking. You have no idea where a QR code is going to take you until you scan it, and then it's too late. So it pays to be skeptical of all QR codes, while exercising some common sense.

QR codes printed in paper publications, on in-store posters, on coupons from well-known retailers, and similar places are unlikely to be malicious. But never forget the days when shrink-wrapped software packages were infected with malware at the factory by disgruntled workers.

A QR code on a Web page is more easily compromised. If a hacker can crack the site's security, he can replace a legitimate QR code with a malicious one of his own. There have already been reports of malicious QR codes showing up in spam emails. Be a bit more cautious before scanning online QR codes, and especially if they arrive in unsolicited emails.

If you notice a sticker bearing a QR code just randomly slapped up on a wall or a sign post, think twice before scanning it. On the other hand, this method of distributing malicious QR codes is so inefficient that it probably isn't used much.

Malicious QR codes can be countered by anti-malware apps that translate a QR code into a URL and allow a user to review it in plain text before deciding whether to let the Web page be fetched. Better still, look for an app that prescreens all URLs against a blacklist of known attack sites. Norton Snap is one such app that works on both Android and iOS devices. In addition, Lookout Mobile Security and the McAfee Antivirus & Security app (both for Android) claim to protect you from malicious URLs in QR codes.

On a semi-related note, I should mention that Microsoft has invented its own version of QR codes, presumably to inject a little more confusion into the world of computing. Microsoft Tag barcodes are similar to QR codes, but different. Some QR code readers can understand Tags, and some Tag readers can understand QR codes. But not all of the code reader apps do both. Hopefully, a unified qr/barcode/tag standard will evolve in our lifetime, and malware authors won't have to work so hard to scam smartphone users who scan random codes.

Malicious QR codes are still rare, but if they work you can be sure that many more will appear quite rapidly. It's better to be on your guard now than after you scan the wrong QR Code.

Artilce by Bob Rankin, Ask Bob Rankin

www.askbobrankin.com

From Rankin’s June 4, 2012 newsletter, reprinted with permission