Threat Update: Malicious QR Codes Pose Risk to iPhone, Android Devices

By Ericka Chickowski  |  Print this article Print

While it may be tempting to scan that QR code with your iPhone or Android phone, it's not a good idea. Hackers, pranksters and fraudsters are now using those QR codes in phishing attacks and to download malware to your device.

We've all seen those interesting little white barcode boxes with lots of squiggles and lines that urge us to scan them with our cell phones. Called QR codes, these shortcut codes to mobile websites and applications are an elegantly simple way to cram loads of information into users' devices with total ease. But the same convenience and seamlessness that makes this technology a great way to transmit information also makes it an ideal vector for hackers, pranksters and fraudsters to use against us, security experts warn.

"The idea behind QR code, is pretty simple.  It’s a small matrix barcode that consists of black modules arranged in a square pattern on a white background and can store alphanumeric characters. These characters can hold text or URLs," said Tomer Teller, security evangelist at Check Point Software Technologies. "Without scanning the barcode one cannot figure out what kind of information is stored in the matrix. This is the perfect attack vector for attackers who want to conceal their attacks."

Just like URL shortening services have made it easy to spread malware through social media and the web QR code is doing the same for hackers who love it for its obscurity, security pros say.

"It is very easy to make a QR code and redirect it someplace so that a person thinks they're going to go to a Coca-Cola website when actually you switch out that code and you send them to a malicious website where it automatically downloads malicious code to your mobile device," said Damon Petraglia, director of forensic and information security services for Chartstone, who said the biggest risk is that people cannot deny their own curiosity.

Attackers can fool users into scanning bad QR codes several ways. They might put a sticker over an advertisement's legitimate QR code. They might just print up some phony ads or flyers and distribute them in a public place. Or they might send them in a traditional spam attack.

"The idea is to redirect you to somewhere malicious," said Teller. "QR is working well so far because it’s cool, easy and convenient. Also, people tend to click through menus before verifying-- (if asked) 'Are you sure you want to go to http://www.evil.com/ ', users will usually click yes!"

Once a victim has scanned a malicious QR code, the attackers can come at them in a number of different ways. They can use the code to direct the victim to phishing sites just like with emailed spam. Or they can be used to install malware on the phone.

"On the iPhone attackers are re-purposing the jail-break exploits to redirect users to a website that will jailbreak their device and install additional malware," Teller said. "On the Android, the chances of getting infected are often much higher, since application are allowed to do actions such as sending SMS, blocking SMS and making calls. Instead of jail breaking the Android, criminals are redirecting users to download malicious applications."

For example, on Android QR codes are being used to install the Trojan "jimm.apk" on users’ phones, according to Paul Henry, security and forensic analyst at Lumension.

"Once installed, this malware automatically sends SMS messages to a "paid" number at a cost of $6 per SMS message to the unsuspecting infected user," he said.

According to Joe Levy, CTO of Solera Networks, IT managers and service providers need to be vigilant about these types of attacks.

"Most of the QR code applications today provide a layer of mediation, informing the user of the target URL or device action, and requiring confirmation before any activity is performed. Unfortunately, there is no standard for this, and there are a number of applications that browse directly to URLs immediately following a successful scan, or that do not set 'ask before opening' as a default," he said. "Since the increasing use of QR codes is likely an inevitability, IT and security staffs should proactively pre-screen available QR applications, and offer the best-behaved to their users as 'approved.'"