Can You Get a Virus By Scanning a QR Code?
An AskBob reader wants to know if there is any potential danger in scanning a QR code. Can a QR code hide dangerous content, or trigger a malicious action? Let's take a look and see if simply scanning a QR code can result in a virus or other type of malware infection. Read on... |
Are QR Codes Dangerous?
Let's start with an understanding of what a QR code is. "QR code" is an abbreviation for Quick Response code, a type of barcode that's been around since the early 1990s. Unlike the barcodes you see on product packaging, QR codes are two-dimensional. They typically take the form of a square containing dots, which can encode a website address, contact information, or other text. You might find a QR code on a website, in an email, on a restaurant menu, in a magazine, or other printed materials.
When scanned with a smartphone, tablet, or a handheld QR code reader, the encoded text is presented to the user. Simply scanning a QR code will not directly infect your mobile device with a virus or malware. There's always a decision to be made once the QR code is decoded. Proceed to the specified web address? Add this entry to your Contacts? Or put down the phone and back away slowly?
A QR code scanner is typically built into a mobile device. In some cases, opening the camera app and pointing your phone at the QR code is all that's needed. Some phones have a QR code app that you must open to scan the code. As I mentioned above, QR codes can't initiate actions on your device, such as automatically downloading a file, launching an app, sending a text message, or whisking you off to a website.
QR codes are innocuous, in and of themselves. However, the content or destination that the QR code points to could potentially be malicious. Scanning a QR code...
- ... could be a link to a malicious website designed to exploit vulnerabilities in your web browser or operating system.
- ... can link to a fake login page, a phishing attack designed to trick you into entering your login credentials.
- ... might offer to a link to download a mobile app.
- ... may initiate a payment transaction via Apple Pay, Google Pay, Zelle, or Venmo.
- ... might prompt you to save a new contact in your device's address book.
In each scenatio, you have the choice to proceed or not. User confirmation and/or authentication are required before continuing. You should think of QR codes in the same way as any hyperlink which presents itself, and you have to decide if it's safe to proceed.
To protect yourself from potential threats when using QR codes, scan only from sources you trust. Verify links before proceeding; if it looks sketchy or doesn't appear to be the expected destination, back away. Make sure your operating system, apps, and antivirus software are up to date. Install a QR code reader with extra security. Trend Micro's Safe QR Code Reader, for example, will perform a safety check on URLs you scan, detecting and blocking sites known for scams, malicious and dangerous content.
If you do decide to install an app -- whether from a QR code or app store -- be sure review the permissions requested by the app. Does that rearrange-the-blocks game really need access to your contacts and your camera?
Bottom line, you need to keep in mind that scanning a QR code will not follow a link, or initiate transfers without you first confirming the action. As with any link or online action, caution and mindfullness is required. When you see a QR code, consider the context and the action you are prompted to take. As always, look before you leap. Post your comment or question below.
This article was posted by Bob Rankin on 3 Oct 2023
For Fun: Buy Bob a Snickers. |
Prev Article: Can You Get a Virus By Opening an Email? |
The Top Twenty |
Next Article: Try These 40+ Free Research Tools |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Can You Get a Virus By Scanning a QR Code? (Posted: 3 Oct 2023)
Source: https://askbobrankin.com/can_you_get_a_virus_by_scanning_a_qr_code.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Can You Get a Virus By Scanning a QR Code?"
Posted by:
Kevin
03 Oct 2023
The article says to "think of QR codes in the same way as any hyperlink which presents itself"... ..and to "verify links before proceeding".
Before I decide to start scanning any QR codes with my iPhone, I have this question: Is the coded "text" always mere text, or could that text be already formed as a hyperlink which, if you then merely TAP on it by accident, you will indeed be whisked off to a website? If the latter is true, and yet the app that decodes the QR code merely asks - immediately - if I want to go there or not, then "verifying" on the spot that the destination is safe may not be easy. (Proper scrutiny may even require the preliminary step of carefully copying it out.) I'd feel better if I knew that the decoded text can only spell out a URL and and cannot be a hot link in itself. Then I will trust that I can safely scan QR codes without having to then operate my phone's touch screen very very gingerly.
Posted by:
Ernest N. Wilcox Jr. (Oldster)
04 Oct 2023
Kevin, When you scan a QR code, the QR code scanner on your phone will display the destination URL. You must then click in the QR code scanner's window to proceed/continue or nothing will happen. I don't use anything from Apple, but on my Samsung Android phone, there is a 'button' at the bottom-left of my screen with three vertical lines to display all open/running apps and a 'button' in the resulting display labeled 'close all'. When in doubt, I use that to get out of any action/screen I have any doubts about. I suspect that there's something similar on your iPhone. If you have any doubt about the displayed URL in the QR code scanner window, close the app/window in a way similar to how I do it.
As for QR codes, I have always avoided them because I knew nothing about how they work until Bob described their functionality in this article (thank you Bob!). I never use my phone to surf the Internet except in emergencies, and then only to specific destinations (auto-repair/parts shop, towing service, etc.). I prefer my PCs for any Internet activity. The screens are larger, and I understand them better :).
My2Cents,
Ernie (Oldster)
Posted by:
chris
04 Oct 2023
Thanks for this info. It was very helpful.
Posted by:
kevin
05 Oct 2023
Today I scanned a QR code for the first time. It was one I found displayed on an official electronic sign at the local mall. All I then saw at the top of my iPhone screen was whatever few words the link uses to describe itself along with an invitation to tap and open it in my Safari browser. It did not show a spelled-out address so there's no way to first vet the Internet destination by the usual means (analyzing the full written URL to see where it actually would take you). Yes, I was able to ignore the notification and dismiss it just by returning to my home screen. But why bother scanning a QR code in the first place if the decoded message leaves you mostly in the dark so that you still proceed at your own risk?
Knowing only that a QR scan itself won't *immediately* take you to a dangerous place is not very reassuring. It still puts you in a position where the next step you would have to undertake to accomplish anything is almost equally blind and full of risk. Bottom line, if I really want to initiate something by scanning a QR code, it must be one that I know has been placed by a trusted source - and also is not a physical one that might have been tampered with (i.e., a QR code on a poster that was pasted over with a different one that's malicious).
Posted by:
Seen-It-All
09 Oct 2023
Bob's description of QR Code as "innocuous" was perhaps the original intent of QR Codes. Things are different now. An analogy is to have said that an HTML page is "innocuous" because all it does is display stuff. That was the original intent of HTML. Today, HTML varieties are complete programming languages that can do anything on your device - if the programmer so chooses. The best way to look at QR codes today is that it's a scheme to make your device do something. It can be anything, depending on what software is available on your device.
EDITOR'S NOTE: It's quite an overstatement to say that HTML is "a complete programming language that can do anything." HTML is a markup language. It lacks even the most basic features of a programming language, such as if/then/else, looping, etc.
Unless you have malware already present on your computer, neither HTML nor a QR code can do what you claim.