Can You Get a Virus By Scanning a QR Code?

Category: Security

An AskBob reader wants to know if there is any potential danger in scanning a QR code. Can a QR code hide dangerous content, or trigger a malicious action? Let's take a look and see if simply scanning a QR code can result in a virus or other type of malware infection. Read on...

Are QR Codes Dangerous?

Let's start with an understanding of what a QR code is. "QR code" is an abbreviation for Quick Response code, a type of barcode that's been around since the early 1990s. Unlike the barcodes you see on product packaging, QR codes are two-dimensional. They typically take the form of a square containing dots, which can encode a website address, contact information, or other text. You might find a QR code on a website, in an email, on a restaurant menu, in a magazine, or other printed materials.

When scanned with a smartphone, tablet, or a handheld QR code reader, the encoded text is presented to the user. Simply scanning a QR code will not directly infect your mobile device with a virus or malware. There's always a decision to be made once the QR code is decoded. Proceed to the specified web address? Add this entry to your Contacts? Or put down the phone and back away slowly?

A QR code scanner is typically built into a mobile device. In some cases, opening the camera app and pointing your phone at the QR code is all that's needed. Some phones have a QR code app that you must open to scan the code. As I mentioned above, QR codes can't initiate actions on your device, such as automatically downloading a file, launching an app, sending a text message, or whisking you off to a website. QR Code

QR codes are innocuous, in and of themselves. However, the content or destination that the QR code points to could potentially be malicious. Scanning a QR code...

  • ... could be a link to a malicious website designed to exploit vulnerabilities in your web browser or operating system.

  • ... can link to a fake login page, a phishing attack designed to trick you into entering your login credentials.

  • ... might offer to a link to download a mobile app.

  • ... may initiate a payment transaction via Apple Pay, Google Pay, Zelle, or Venmo.

  • ... might prompt you to save a new contact in your device's address book.

In each scenatio, you have the choice to proceed or not. User confirmation and/or authentication are required before continuing. You should think of QR codes in the same way as any hyperlink which presents itself, and you have to decide if it's safe to proceed.

To protect yourself from potential threats when using QR codes, scan only from sources you trust. Verify links before proceeding; if it looks sketchy or doesn't appear to be the expected destination, back away. Make sure your operating system, apps, and antivirus software are up to date. Install a QR code reader with extra security. Trend Micro's Safe QR Code Reader, for example, will perform a safety check on URLs you scan, detecting and blocking sites known for scams, malicious and dangerous content.

If you do decide to install an app -- whether from a QR code or app store -- be sure review the permissions requested by the app. Does that rearrange-the-blocks game really need access to your contacts and your camera?

Bottom line, you need to keep in mind that scanning a QR code will not follow a link, or initiate transfers without you first confirming the action. As with any link or online action, caution and mindfullness is required. When you see a QR code, consider the context and the action you are prompted to take. As always, look before you leap. Post your comment or question below.

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 3 Oct 2023

For Fun: Buy Bob a Snickers.

Prev Article:
Can You Get a Virus By Opening an Email?

The Top Twenty
Next Article:
Try These 40+ Free Research Tools

Most recent comments on "Can You Get a Virus By Scanning a QR Code?"

Posted by:

03 Oct 2023

The article says to "think of QR codes in the same way as any hyperlink which presents itself"... ..and to "verify links before proceeding".

Before I decide to start scanning any QR codes with my iPhone, I have this question: Is the coded "text" always mere text, or could that text be already formed as a hyperlink which, if you then merely TAP on it by accident, you will indeed be whisked off to a website? If the latter is true, and yet the app that decodes the QR code merely asks - immediately - if I want to go there or not, then "verifying" on the spot that the destination is safe may not be easy. (Proper scrutiny may even require the preliminary step of carefully copying it out.) I'd feel better if I knew that the decoded text can only spell out a URL and and cannot be a hot link in itself. Then I will trust that I can safely scan QR codes without having to then operate my phone's touch screen very very gingerly.

Posted by:

Ernest N. Wilcox Jr. (Oldster)
04 Oct 2023

Kevin, When you scan a QR code, the QR code scanner on your phone will display the destination URL. You must then click in the QR code scanner's window to proceed/continue or nothing will happen. I don't use anything from Apple, but on my Samsung Android phone, there is a 'button' at the bottom-left of my screen with three vertical lines to display all open/running apps and a 'button' in the resulting display labeled 'close all'. When in doubt, I use that to get out of any action/screen I have any doubts about. I suspect that there's something similar on your iPhone. If you have any doubt about the displayed URL in the QR code scanner window, close the app/window in a way similar to how I do it.

As for QR codes, I have always avoided them because I knew nothing about how they work until Bob described their functionality in this article (thank you Bob!). I never use my phone to surf the Internet except in emergencies, and then only to specific destinations (auto-repair/parts shop, towing service, etc.). I prefer my PCs for any Internet activity. The screens are larger, and I understand them better :).


Ernie (Oldster)

Posted by:

04 Oct 2023

Thanks for this info. It was very helpful.

Posted by:

05 Oct 2023

Today I scanned a QR code for the first time. It was one I found displayed on an official electronic sign at the local mall. All I then saw at the top of my iPhone screen was whatever few words the link uses to describe itself along with an invitation to tap and open it in my Safari browser. It did not show a spelled-out address so there's no way to first vet the Internet destination by the usual means (analyzing the full written URL to see where it actually would take you). Yes, I was able to ignore the notification and dismiss it just by returning to my home screen. But why bother scanning a QR code in the first place if the decoded message leaves you mostly in the dark so that you still proceed at your own risk?

Knowing only that a QR scan itself won't *immediately* take you to a dangerous place is not very reassuring. It still puts you in a position where the next step you would have to undertake to accomplish anything is almost equally blind and full of risk. Bottom line, if I really want to initiate something by scanning a QR code, it must be one that I know has been placed by a trusted source - and also is not a physical one that might have been tampered with (i.e., a QR code on a poster that was pasted over with a different one that's malicious).

Posted by:

09 Oct 2023

Bob's description of QR Code as "innocuous" was perhaps the original intent of QR Codes. Things are different now. An analogy is to have said that an HTML page is "innocuous" because all it does is display stuff. That was the original intent of HTML. Today, HTML varieties are complete programming languages that can do anything on your device - if the programmer so chooses. The best way to look at QR codes today is that it's a scheme to make your device do something. It can be anything, depending on what software is available on your device.

EDITOR'S NOTE: It's quite an overstatement to say that HTML is "a complete programming language that can do anything." HTML is a markup language. It lacks even the most basic features of a programming language, such as if/then/else, looping, etc.

Unless you have malware already present on your computer, neither HTML nor a QR code can do what you claim.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Can You Get a Virus By Scanning a QR Code? (Posted: 3 Oct 2023)
Copyright © 2005 - Bob Rankin - All Rights Reserved