Threat Update: Malicious QR Codes Pose Risk to iPhone, Android Devices

We’ve all seen those interesting little white barcode boxes
with lots of squiggles and lines that urge us to scan them with our cell phones.
Called QR codes, these shortcut codes to mobile websites and applications are
an elegantly simple way to cram loads of information into users’ devices with
total ease. But the same convenience and seamlessness that makes this
technology a great way to transmit information also makes it an ideal vector
for hackers, pranksters and fraudsters to use against us, security experts
warn.

"The idea behind QR code, is pretty simple.  It’s
a small matrix barcode that consists of black modules arranged in a square
pattern on a white background and can store alphanumeric characters. These
characters can hold text or URLs," said Tomer Teller, security evangelist
at Check Point Software Technologies. "Without scanning the barcode one
cannot figure out what kind of information is stored in the matrix. This is the
perfect attack vector for attackers who want to conceal their
attacks."

Just like URL shortening services have made it easy to
spread malware through social media and the web QR code is doing the same for
hackers who love it for its obscurity, security pros say.

"It is very easy to make a QR code and redirect it
someplace so that a person thinks they’re going to go to a Coca-Cola website
when actually you switch out that code and you send them to a malicious website
where it automatically downloads malicious code to your mobile device," said
Damon Petraglia, director of forensic and information security services for
Chartstone, who said the biggest risk is that people cannot deny their own
curiosity.

Attackers can fool users into scanning bad QR codes several
ways. They might put a sticker over an advertisement’s legitimate QR code. They
might just print up some phony ads or flyers and distribute them in a public
place. Or they might send them in a traditional spam attack.

"The idea is to redirect you to somewhere malicious,"
said Teller. "QR is working well so far because it’s cool, easy and
convenient. Also, people tend to click through menus before verifying– (if
asked) ‘Are you sure you want to go to http://www.evil.com/ ‘, users will
usually click yes!"

Once a victim has scanned a malicious QR code, the attackers
can come at them in a number of different ways. They can use the code to direct
the victim to phishing sites just like with emailed spam. Or they can be used
to install malware on the phone.

"On the iPhone attackers are re-purposing the
jail-break exploits to redirect users to a website that will jailbreak their
device and install additional malware," Teller said. "On the Android,
the chances of getting infected are often much higher, since application are allowed
to do actions such as sending SMS, blocking SMS and making calls. Instead of
jail breaking the Android, criminals are redirecting users to download
malicious applications."

For example, on Android QR codes are being used to install
the Trojan "jimm.apk" on users’ phones, according to Paul Henry, security
and forensic analyst at Lumension.

"Once installed, this malware automatically sends SMS
messages to a "paid" number at a cost of $6 per SMS message to the
unsuspecting infected user," he said.

According to Joe Levy, CTO of Solera Networks, IT managers
and service providers need to be vigilant about these types of attacks.

"Most of the QR code applications today provide a layer
of mediation, informing the user of the target URL or device action, and
requiring confirmation before any activity is performed. Unfortunately, there
is no standard for this, and there are a number of applications that browse
directly to URLs immediately following a successful scan, or that do not set
‘ask before opening’ as a default," he said. "Since the increasing
use of QR codes is likely an inevitability, IT and security staffs should
proactively pre-screen available QR applications, and offer the best-behaved to
their users as ‘approved.’"