QR codes are a wonderfully charming technology… demonstration. But how many of us actually use them on a regular basis? Outside of Japan (the birthplace of QR), the only use cases I’ve seen with any real prevalence are:
1) Quickly getting to an Android app’s download page from a review site.
2) When you really, really want to know more about that print mag’s McDonald’s ad.
3) Scanning that mysterious QR code sticker that someone stuck on the wall in a tame but oh-so-technophilic act of modern vandalism.
You might want to avoid that last one from here on out. The baddies of the world have caught on to QR codes, so scanning that stray QR code might lead you to some nasty, nasty malware.
Now, to be clear: there’s nothing inherently wrong with the QR code itself. The QR code is just a visual representation of data which gets passed to the phone — so even if there were some way to directly exploit QR codes, its effect would vary greatly based on how each respective platform handles the data passed to it.
Instead, the nasties are using QR codes to lure people into downloading Android malware. While some users are likely to assume that QR codes are unique to the Android market and thus be comfortable scanning them, these codes actually take you to an Android install package hosted on some third-party server. The QR code itself isn’t bad — but the link it’s obfuscating is.
Once downloaded, the dirty app (which, in the most recent case, was a hacked version of the Russian ICQ client, Jimm) begins firing off text messages to a premium number. Each text it sends (without your knowledge) sets you back around $5+. You can find an outline of the method by Kaspersky Labs here.
It’s not hard to imagine how this concept could get nasty quick. Users, for the most part, would trust a QR code the same way they just a link on a company’s own website. Take a QR-enabled ad on a public wall, for example; how simple would it be for the “hacker” to simply slap a sticker of his nefarious QR code on top of yours? Would anyone notice?