Threat Intelligence Blog

Posted October 20, 2010

QR Codes: A Recipe for a Mobile Malware Tsunami
Example of a QR code. Scan this and you’ll be taken to…?

QR codes are another way to connect people with content online. These small squares of black and white dots can be scanned with mobile devices like iPhones and Blackberries to quickly deliver the user to more information (“QR” meaning “quick response”). They’re most often found offline, in the “real world” in places like store fronts, in printed materials, and in advertisements. When you use your mobile phone or other mobile device to scan the QR code, it should bring you to online content about the product associated with the QR code.

As Gartner blogger Mark Raskino recently noted, Japanese consumers have been exposed to QR codes for some time, and the adoption of QR codes here in the west is growing. “Over the last 12 to 18 months, many major Western airlines have started to push mobile phone based Check-in services that use also use matrix barcodes on mobile phones, to replace the paper boarding pass”, writes Raskino.

There are many consumer benefits to QR codes, but let’s stop and think about ways to use Q-R codes the way an attacker might and the potential consumer risks.

  • Botnet operators wishing to infect mobile devices are likely to turn to the tried-and-true method of sending out millions of spam emails to attack consumers. However instead of a photo or a graphic designed to get naive consumers to click on it (“Like pictures of Britney Spears? Click the image below for more!!1!1!!”), we can expect to see Q-R codes to be used maliciously (“Download the new Twitter app onto your phone! Just scan the QR Code below!”).
  • If a large, global corporation wants to neutralize the market advantage of a competitor, a dummy corporation with false contact information could easily be set up; this dummy corporation then takes out an alluring advertisement in a local magazine or publication that is likely to be read by an educated labor force in the region near my competitor’s facilities. The advertisement contains a QR code that, when scanned, delivers the end user’s mobile device to a website that contains enough superficial information that matches the original print advertisement so as to not be suspicious, but in the background there is mobile malware being inserted on the user’s device. This malware can in turn infect home or work computers that the mobile device is later plugged into.
  • Most of us know we should not access wifi hotspots titled “Free Public WiFi”. But what about a mall parking lot on the day after Thanksgiving that is peppered with flyers containing a QR code reading “Get a free hot cocoa with your holiday shopping receipt! Just scan this QR code!”. Of course, there’s no free hot cocoa on the way, just a mobile malware drive by download.

Consider the following two photos which contain a large QR code pasted on to a sign warning drivers of nearby construction. The sign happened to be found by the author in between drafts of this Cyveillance blog post. Below the QR code it reads, “Using a smartphone, Download ZXING, Scan and Open Browser, Get 10 Free Itune [sic] Songs”.

QR Codes: scamming the public

A flyer containing a QR Code pasted on a local sign. (QR Code modified in this image to prevent it from working).

No, don't do it!

Note the incentive of 10 free “ITune” [sic] songs for scanning this QR code. (QR Code modified in this image to prevent it from working).

While ZXING appears to be software that allows smartphones to read QR codes, and should not be harmful to one’s mobile device, the QR code shown above simply delivers one to a politically-oriented news website. (There were, not surprisingly, no “ITune” songs upon arrival.)

Despite years of internet security experts reminding users to not click links they do not trust, users continue to click links in email and on websites without knowing where they will take them. While QR codes are not as familiar to most end users today, their use is on the rise. They may never become a mainstay of malware distribution, but it is reasonable to expect malware distributors and other attackers at a minimum to experiment with QR codes, especially while consumers are still learning about them.

Until the message of pervasive online threats really hits home and consumers always think before clicking whatever is put in front of them, we still have a big problem on our hands. Given that data from 2009 shows that approximately fifteen percent of drivers still don’t use a seat belt, a situation with life or death consequences, we probably still have many years to go before lessons about safe internet browsing really take root.

Additional Posts

Cyber Security Education Gaining Momentum

Cyber security awareness continues to gain interest in every industry and market. With the dramatic ...

October is National Cyber Security Awareness Month

This October marks the seventh annual National Cyber Security Awareness Month. The effort comes to ...