Smartphone Woes: QR Attacks

You see them everywhere, and are pretty curious about what they are hiding. It’s like a secret code that you can instantly crack with that shiny little device in your pocket. So you scan them incessantly, hoping to get a free burger, or get a better spec report on that laptop in BestBuy.

But depending on your phone, or the QR scanning app you use, your phone may auto-direct you to a malware site, or compose an SMS message to sign you up for a paid service, such as Hot Singles in your area, or your $30 a month horoscope.

Now, if you see a random QR code on a phone booth or telephone pole, you’re more likely to pay attention to what it’s asking your phone to do. The bigger threat is when someone puts a malicious QR code on top of the intended one. You see a sign on a community bulletin board for a beach¬†volleyball tournament, and the oiled-up man that you are decides that this is the best way to show off your sexy abdominals. You scan the code, which is supposed to take you to the information page, but instead, you’ve now been prompted to send a pre-composed text to an unknown number. Maybe they’ll text you the details, so you hit send.

First of all, stop oiling up your abs. It’s gross. Second, you’ve clicked right past the warning signs (what is supposed to be a link to a site is now a text) and bull-headedly smashed your way through to the land of monthly horoscope subscriptions. Congratulations. How can you avoid this? The first thing you need to do is see how your QR scanner works. On my phone, the Bing visual search will recognize QR codes and display the link over the live feed of the camera, but it waits for you to click it. The AT&T scanner app forces you to take a picture, which is then analyzed for codes, and automatically directs you to the intended destination. This is bad. Look for apps that preview the information. The second thing you need to do is pay attention to what you’re doing. Just like phishing scams in email, if you click a link to PayPal, and it redirects you to paypal.scamjob.net, you should probably not enter your information.

As our phones open up to more and more types of content, they will be vulnerable to web-based attacks that may, one day, pull your credit card information from the NFC device on your phone. If you start treating your phone like the gold-mine of data that it is, you will save yourself a headache in the future.

The above QR code just sends a text to one of my GV numbers. If you blindly scanned it, then go ahead and send the text. I won’t harvest your phone numbers, I just want to see how many people clicked it.

5 thoughts on “Smartphone Woes: QR Attacks

  1. Kind of surprised that QR’s haven’t been used for more malicious purposes, but most people I know don’t know what they are or how to use them.

  2. Android’s most popular scanning app “Zxing Barcode Scanner” pops up the link and then tells you what it is before taking any potentially harmful action. When I scanned the one attached to the article I get the number, the message, and then a button that says “send SMS”

    On the side, under the scanned image, it gives the code format “QR_CODE” the information type “SMS” and some other, less useful stuff.

    It’s pretty slick, and anyone with an Android device should be using it if they are the barcode scanning type.

Comments are closed.