Can QR Codes Spread Computer Viruses?

Category: Security

Any doubts I may have had about the viability of QR codes have evaporated. You know a new technology is catching on when malware authors start using it to snare unwary users. Read on to learn how those funny black squares can carry a nasty (and expensive) payload...

QR Code Malware

QR codes are squares of black and white patterns that encode the URLs of Web sites in a format that can be scanned and deciphered by smartphones equipped with the right apps. Instead of typing a URL into your phone's browser, you can just snap a picture of a QR code and be whisked to an ad, an informative Web page... or a malicious site that silently downloads a virus, rootkit, or trojan to your phone.

Kasperky Labs has detected two samples of malware delivered via QR codes, both targeting Android phones. One of them sends SMS messages from the infected phone to a premium-priced number; each text message costs the victim six dollars! Other types of malware can scoop up your contacts list, send spam emails in your name, and wreak other sorts of mischief.

Can a QR code itself contain malware? Theoretically, yes, but it wouldn't do much. A QR code can contain only a limited amount of data: 7089 numeric characters or 4296 alphanumeric characters. You can't write much of a program in that space. But a QR code can easily take you to a malicious site.
QR Code for

Humans cannot tell one QR code from another, generally speaking. You have no idea where a QR code is going to take you until you scan it, and then it's too late. So it pays to be skeptical of all QR codes, while exercising some common sense.

QR codes printed in paper publications, on in-store posters, on coupons from well-known retailers, and similar places are unlikely to be malicious. But never forget the days when shrink-wrapped software packages were infected with malware at the factory by disgruntled workers.

A QR code on a Web page is more easily compromised. If a hacker can crack the site's security, he can replace a legitimate QR code with a malicious one of his own. There have already been reports of malicious QR codes showing up in spam emails. Be a bit more cautious before scanning online QR codes, and especially if they arrive in unsolicited emails.

If you notice a sticker bearing a QR code just randomly slapped up on a wall or a sign post, think twice before scanning it. On the other hand, this method of distributing malicious QR codes is so inefficient that it probably isn't used much.

Malicious QR codes can be countered by anti-malware apps that translate a QR code into a URL and allow a user to review it in plain text before deciding whether to let the Web page be fetched. Better still, look for an app that prescreens all URLs against a blacklist of known attack sites. Norton Snap is one such app that works on both Android and iOS devices. In addition, Lookout Mobile Security and the McAfee Antivirus & Security app (both for Android) claim to protect you from malicious URLs in QR codes.

On a semi-related note, I should mention that Microsoft has invented its own version of QR codes, presumably to inject a little more confusion into the world of computing. Microsoft Tag barcodes are similar to QR codes, but different. Some QR code readers can understand Tags, and some Tag readers can understand QR codes. But not all of the code reader apps do both. Hopefully, a unified qr/barcode/tag standard will evolve in our lifetime, and malware authors won't have to work so hard to scam smartphone users who scan random codes.

Malicious QR codes are still rare, but if they work you can be sure that many more will appear quite rapidly. It's better to be on your guard now than after you scan the wrong QR Code.

Are you a QR code fan? Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 4 Jun 2012

For Fun: Buy Bob a Snickers.

Prev Article:
Is Chrome OS the Next Big Thing?

The Top Twenty
Next Article:
Skydrive, Google Drive, or Dropbox?

Most recent comments on "Can QR Codes Spread Computer Viruses?"

Posted by:

04 Jun 2012

Okay, Bob, you say that grammar is important in our replies. Now I'm going to call you on YOUR grammar!

In the second paragraph of today's epistle, you write, "Instead of typing a URL into your phone's browser . . . " You should have used "an" instead of "a" before "URL."

In your third to last paragraph, you wrote "Hopefully, a unified qr/barcode/tag standard . . ." (Shriek!) "Hopefully" is an adjective and NOT an adverb. One walks hopefully down the aisle or over to the salad bar. Please don't hang an adjective in the air in a sentence. Wouldn't you wince at "Tearfully, the Kibbles'n'Bits scattered all over the linoleum"?

You may have been committing these grammar crimes for some time and I am only now noticing them. If so, I apologize for my lack of attention. Your column is consistently good, newsy, pertinent, well written, and error-free. I am an admirer.

EDITOR'S NOTE: Martha, your note is much appreciated, but please allow me to defend my grammar. The abbreviation "URL" stands for "universal resource locator" and is pronounced “you-are-ell.” Thus, I would argue that it is proper to write "a URL" instead of "an URL". Also, according to both the Merriam-Webster and Oxford English dictionaries, the primary meaning of "hopefully" is an adverb.

Posted by:

04 Jun 2012

I think you meant "uniform resource locator", Bob. But I agree. :)

Posted by:

04 Jun 2012

While I agree that "hopefully" usually (and in your case)is an adverb, you still haven't used it correctly: the barcode standard will not be doing anything in a hopeful manner. Instead, you use it as a shortened (and ungrammatical) form for "one hopes that..." or "we hope that.."

Posted by:

04 Jun 2012

Dear, Sweet Martha,

Instead of chastising Mr. Rankin for your misinterpretation of HIS grammar skills, why not try absorbing the extremely valuable information within his messages? He is trying desperately to keep his viewers informed with the latest news about all the little nasties that come to us through email, the Internet and whatever technology whose security has been breached this week. I know... nasties is probably not a word ~ shoot me!

Chances are very good that one of his newsletters that YOU have read recently has prevented YOU some digital or monetary hardship. This he does with very little recognition and zero cost... to YOU. A little appreciation would go a very long way.

I think it's completely acceptable here to forgive his grammatical indiscretions. After all, did you understand completely the message he was trying to convey? That's what I thought. And so did thousands of others who quietly thank him for his up-to-date~ and FREE ~advice without adding their petty criticisms.

Martha, please feel free to correct MY grammar. I can use all the help I can get cause school ain't never learnt me nuthin"!

Thank you Mr. Rankin,
Keep the great advice coming ~ proper grammar optional!

Posted by:

04 Jun 2012

Informative post. While we are on the topic of grammar and spelling, I am always a bit surprised to see the following common mistake (and amazed that Martha did not notice!), which jumps at me even though my native language is not English.

You wrote "Microsoft has invented it's own version"
Of course, it should be "...its own version"
It's a very common mistake, I know!

EDITOR'S NOTE: It's my nemesis! (Fixed now)

Posted by:

04 Jun 2012

So these "things" are "QR codes" eh? I never knew they had a name. To me, they're nothing more than nonsensical rubbish. Now I also know they're just another excuse playing with a cell phone, instead of having a life and enteracting with human beings.

P.S. Martha sounds like a nut.

Posted by:

04 Jun 2012

Mr. Rankin Go GET 'Em!!!

Proper Grammar or NO We all Get what You are Conveying.

Posted by:

05 Jun 2012

I have to agree with Bob there. It may be "an earl" but it's "a URL". ;~] Also, "hopefully" is an adverb; the adjective is "hopeful".

Posted by:

05 Jun 2012

I don't worry about scanning a malicious QR Code because the QR scanner I use on my Android phone shows me whatever the QR code is and then gives me the option to follow it or not.

Posted by:

06 Jun 2012

So that's what those smudges be. I thought they were a new type of Rorschach Test.
It's nice to know somebody cares enough the about proper use of words and all, but is this the place to do it?
Mr, Bob. Thanks for the info, I shall pass it on to anyone that care to listen.

Posted by:

06 Jun 2012

That bar code is also known as a "Data Matrix" bar code. And, can contain more than your stated "7089 numeric characters or 4296 alphanumeric characters". Depending on the size of the bar code, you could possibly enter several pages of malicious code.

EDITOR'S NOTE: The size of the bar code is not relevant. See for more details.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy     RSS/XML

Article information: AskBobRankin -- Can QR Codes Spread Computer Viruses? (Posted: 4 Jun 2012)
Copyright © 2005 - Bob Rankin - All Rights Reserved