Can You Get a Virus from a QR Code?

Category: Mobile , Security

You know a technology is catching on when malware creeps start using it to snare unwary users. QR codes, those little squares of black and white patterns that you see in various places are typically benign shortcuts for mobile users, but they can carry a nasty (and expensive) payload. Read on for the scoop...

QR Code Malware?

QR codes encode website addressess in a format that can be scanned and deciphered by the camera app on most smartphones. Instead of typing that URL into your phone's browser, you just snap a picture of a QR code and be whisked to an informative Web page, a restaurant menu... or a malicious site that silently downloads a virus, or siphons data from your phone.

In January of this year, the FBI warned about malware delivered via QR codes. The end result could be theft of data from the phone, a malware download, or redirection to a malicious site, which prompts the victim to enter login credentials or financial information. The latter case is just a twist on email phishing scams, but they use a QR code to obscure the link. In the past, I've read about mobile malware capable of sending SMS messages from the infected phone to a premium-priced number, and others that scoop up your contacts list and send spam emails in your name.

Can a QR code itself contain malware? Theoretically, yes, but it wouldn't do much. A QR code can contain only a limited amount of data: 7089 numeric characters or 4296 alphanumeric characters. You can't write much of a program in that space. But a QR code can easily take you to a malicious site. Humans cannot tell one QR code from another, generally speaking. You have no idea where a QR code is going to take you until you scan it. So it pays to be skeptical of all QR codes, while exercising some common sense.

QR Code for

There's an example QR code on this page, which leads to the AskBob home page. You can safely scan that if you want to see how it works. QR codes printed in paper publications, on in-store posters, on coupons from well-known retailers, and similar places are unlikely to be malicious. But never forget the days when shrink-wrapped software packages were infected with malware at the factory by disgruntled workers.

A QR code on a Web page is more easily compromised. If a hacker can crack the site's security, he can replace a legitimate QR code with a malicious one of his own. There have already been reports of malicious QR codes showing up in spam emails. Be a bit more cautious before scanning online QR codes, and especially if they arrive in unsolicited emails.

If you notice a sticker bearing a QR code just randomly slapped up on a wall or a sign post, think twice before scanning it. On the other hand, this method of distributing malicious QR codes is so inefficient that it probably isn't used much.

The FBI warns against downloading apps via QR codes, and advises that you download apps from the official app store for your mobile platform, which would be Google Play for Android devices, and the App Store for the iPhone or iPad. They also advise users to be wary of scams that involve an email about a failed payment with a QR code to complete the payment. If you receive such a message, find the company's customer service phone number on their website and call to verify. Avoid making payments through a website linked to a QR code.

One thing you can do to minimize risk is preview the destination URL before possibly heading off into some dark corner of the Web. Most smartphones will show you the website address encoded in the QR code, and ask you to confirm before continuing. That's no guarantee that the destination is safe, so you might want to copy the URL and paste it into a URL safety checker. The Google Safe Browsing page and the Trend Micro Safety Center both allow you to do that.

Malicious QR codes can also be countered by anti-malware apps that translate a QR code into a URL and check against a blacklist of known attack sites. Lookout Mobile Security is one such app that works on both Android and iOS devices.

Malicious QR codes are still rare, but if they work you can be sure they'll become more common. It's better to be on your guard now than after you scan the wrong QR Code. Are you a QR code fan? Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 6 Jun 2022

For Fun: Buy Bob a Snickers.

Prev Article:
Speed Tips for Your Laptop

The Top Twenty
Next Article:
Geekly Update - 08 June 2022

Most recent comments on "Can You Get a Virus from a QR Code?"

Posted by:

08 Jun 2022

It really burns me up that programmers who are smart enough, and talented enough, to WRITE malicious code, actually DO write it. Makes me want to do harm to them - which of course isn't acceptable.

Thanks for this article, Bob. My original response to the question asked, was "No". So I hadn't thought it through fully.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Can You Get a Virus from a QR Code? (Posted: 6 Jun 2022)
Copyright © 2005 - Bob Rankin - All Rights Reserved