As mobile marketers latch onto the convenience and cool-factor of QR codes, hackers are starting to take advantage of these square, scannable bar codes as a new way to distribute malware. Like all mobile attack vectors, it is a new frontier that security researchers say is not extremely prevalent, but which has a lot of potential to wreak havoc if mobile developers and users stand by unaware.
The success behind QR code usage among mobile fans has largely been pinned on its simplicity.
“QR codes are growing in popularity and seem to be popping up everywhere — magazine ads, newsletters, real-estate signs, newspaper ads, and in trade-show booths,” says Paul Henry, security and forensic analyst at Lumension. “In the simplest of terms, a QR code is a 2D bar code that can store data which can then be read by smartphone users. The data is an easy way to direct a user to a particular website with a simple scan of the QR code, but it could also just as easily be a link to a malicious website.”
Just point your mobile device’s camera on the code and scan it, and the reading will take you to the website or mobile app download that its promoter promises to provide. The difficulty is that you’re depending on the honesty of that provider or the assumption that the code hasn’t been tampered with to know the destination is legitimate.
“QR codes, while perhaps convenient for the user, clearly open the door to the clever obfuscation of malicious links for would-be bad guys,” Henry says.