silversurfer

Level 63
Verified
Trusted
Content Creator
Malware Hunter
The use of QR codes has risen during the pandemic as they offer a perfect solution to contactless interaction. But many employees are also using their mobile devices to scan QR codes for personal use, putting themselves and enterprise resources at risk.

A new study from security platform MobileIron shows that 84 percent of people have scanned a QR code before, with 32 percent having done so in the past week and 26 percent in the past month. In the last six months, 38 percent of respondents say they have scanned a QR code at a restaurant, bar or café, 37 percent at a retailer and 32 percent on a consumer product. It's clear that codes are popular and 53 percent of respondents want to see them used more broadly in the future. 43 percent plan to use a QR code as a payment method in the near future and 40 percent of people would be willing to vote using a QR code received in the mail, if it was an option.

However, QR codes are a tempting attack route for hackers too as the mobile user interface prompts users to take immediate actions, while limiting the amount of information available before, for example, visiting a website.

"Hackers are launching attacks across mobile threat vectors, including emails, text and SMS messages, instant messages, social media and other modes of communication," says Alex Mosher, global vice president of solutions at MobileIron. "I expect we'll soon see an onslaught of attacks via QR codes. A hacker could easily embed a malicious URL containing custom malware into a QR code, which could then exfiltrate data from a mobile device when scanned. Or, the hacker could embed a malicious URL into a QR code that directs to a phishing site and encourages users to divulge their credentials, which the hacker could then steal and use to infiltrate a company."
Full report by researchers: MobileIron Research Reveals QR Codes Pose Significant Security Risks to Enterprises and End Users | Mobileiron.com
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
This is one reason why I personal pretty thoroughly tested QR code readers/scanners on my phone, as the built-in automatic opened urls.
I started to see it a bit more in shops/food stores etc then maybe a year ago, but it's still a bit rare.
 

Bonorex

Level 1
In my opinion, it's also a matter of QR apps used. I installed the free QR scanner from Kaspersky, which checks if the weblink is safe before accessing the site. In this way, the risk is not bigger than accessing websites in the traditional way, via web browsers. Of course, having an antivirus installed grants additional security.
 

Spawn

Administrator
Verified
Staff member
In this way, the risk is not bigger than accessing websites in the traditional way, via web browsers. Of course, having an antivirus installed grants additional security.
If the QR app already scans the link before allowing the end user to visit, then the threat is already blocked without the need for an AV for Android?

Does the official Google Camera app support QR?
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
I think I need to pitch in here with an advice and also a bit more information what I found out from my own tests.

When I tested several QR apps, more or less all from major AV vendors like Trend Micro, Avira, Norton, Kaspersky etc and also several unknown I noticed that even if stated not automatic redirect/open the urls, the majority still did. That's pretty important as personal I would not use an QR app that behave in that order, and it dosen't matter if the app comes from F-Droid or Google Play Store.

Now with that said. My tests was done more then a year ago, and I didn't listed every single app that I tested. Only those that seems to been secure enough at that time and actually did what I wanted. My personal advice on this, is to actually test a few apps and see what happens. If it opens the url/link automatic in your default browser, you should check first if there exist any settings in the app itself that you can enable, or strongly consider switch/change to another app.
 
Last edited:
Top