14 DAY TRIAL // The apparently harmless QR tags found on almost any commercial product can be used to spread malware on smartphones.
QR codes are represented by a matrix which can contain a lot of information. With the recent development of barcode readers for mobile phones, people use them all the time to obtain product data such as country of origin.
What most of us don't know is the fact that malicious things can be encrypted into these markers.
Augusto Pereyra wrote on the subject and he warns that many barcode scanning apps installed on phones don't even give a hint of what they've picked up from the image, before revealing the corresponding information.
He explained that fake advertisements represent the perfect opportunity for cybercriminals to spread ill-intended software and because this threat isn't common, most people don't fear for the safety of their phone when scanning a code.
In the proof of concept attack posted on his blog, Pereyra embedded the URL for an attack server into such a tag. All the mobile devices that would read it would be redirected to the malicious domain.
According to Kaspersky researchers, the implementation of Near Field Communications is already known to make smartphones vulnerable against denial-of-service attacks.
“As with the NFC attacks, QR attacks work mainly because users can't easily vet the content stored in the tags before they are scanned. The data in QR tags - rendered in machine-readable bar codes - must be scanned to reveal the purpose of the tag. That, effectively, creates a 'run first, ask questions later' implementation that greatly benefits attackers,” revealed Kaspersky Lab researcher Timothy Armstrong.
These facts should make people acknowledge the dangers that lurk behind these symbols, making them think twice before scanning a suspicious tag.
Until a solution is found, the best thing you can do is make sure that the barcode application installed on your phone doesn't access the information obtained from the symbol without asking for your approval first. At least this way, if it looks suspicious, you'll have a chance of getting away with an uninfected phone.