Can You Get a Virus from a QR Code?

QR Code Malware?

QR codes encode website addressess in a format that can be scanned and deciphered by the camera app on most smartphones. Instead of typing that URL into your phone's browser, you just snap a picture of a QR code and be whisked to an informative Web page, a restaurant menu... or a malicious site that silently downloads a virus, or siphons data from your phone.

In January of this year, the FBI warned about malware delivered via QR codes. The end result could be theft of data from the phone, a malware download, or redirection to a malicious site, which prompts the victim to enter login credentials or financial information. The latter case is just a twist on email phishing scams, but they use a QR code to obscure the link. In the past, I've read about mobile malware capable of sending SMS messages from the infected phone to a premium-priced number, and others that scoop up your contacts list and send spam emails in your name.

Can a QR code itself contain malware? Theoretically, yes, but it wouldn't do much. A QR code can contain only a limited amount of data: 7089 numeric characters or 4296 alphanumeric characters. You can't write much of a program in that space. But a QR code can easily take you to a malicious site. Humans cannot tell one QR code from another, generally speaking. You have no idea where a QR code is going to take you until you scan it. So it pays to be skeptical of all QR codes, while exercising some common sense.

There's an example QR code on this page, which leads to the AskBob home page. You can safely scan that if you want to see how it works. QR codes printed in paper publications, on in-store posters, on coupons from well-known retailers, and similar places are unlikely to be malicious. But never forget the days when shrink-wrapped software packages were infected with malware at the factory by disgruntled workers.

A QR code on a Web page is more easily compromised. If a hacker can crack the site's security, he can replace a legitimate QR code with a malicious one of his own. There have already been reports of malicious QR codes showing up in spam emails. Be a bit more cautious before scanning online QR codes, and especially if they arrive in unsolicited emails.

If you notice a sticker bearing a QR code just randomly slapped up on a wall or a sign post, think twice before scanning it. On the other hand, this method of distributing malicious QR codes is so inefficient that it probably isn't used much.

The FBI warns against downloading apps via QR codes, and advises that you download apps from the official app store for your mobile platform, which would be Google Play for Android devices, and the App Store for the iPhone or iPad. They also advise users to be wary of scams that involve an email about a failed payment with a QR code to complete the payment. If you receive such a message, find the company's customer service phone number on their website and call to verify. Avoid making payments through a website linked to a QR code.

One thing you can do to minimize risk is preview the destination URL before possibly heading off into some dark corner of the Web. Most smartphones will show you the website address encoded in the QR code, and ask you to confirm before continuing. That's no guarantee that the destination is safe, so you might want to copy the URL and paste it into a URL safety checker. The Google Safe Browsing page and the Trend Micro Safety Center both allow you to do that.

Malicious QR codes can also be countered by anti-malware apps that translate a QR code into a URL and check against a blacklist of known attack sites. Lookout Mobile Security is one such app that works on both Android and iOS devices.

Malicious QR codes are still rare, but if they work you can be sure they'll become more common. It's better to be on your guard now than after you scan the wrong QR Code. Are you a QR code fan? Post your comment or question below...