Beware the square: how to spot malicious QR codes

Have you ever wondered about those little digi-squares staring back at you from the corners of posters, magazine articles, cereal boxes and countless other products?

They’re called QR codes – short for “Quick Response” – and they were originally developed back in the mid-nineties for use in the Japanese auto-making industry as a quick, machine-readable way to store information about a particular item, whether for production, inventory or eventual sale. Think of them as a more efficient, more data-rich version of the UPC barcodes that are scanned at the checkout every time you buy something.

Well, like all good, innocent and helpful things, QR codes were eventually leveraged by marketers in order to sell stuff to people. They’re also used as virtual tickets to events. They’re used to facilitate payments. They’re used to speed up login authentication and the installation of software – all sorts of cool uses.

They seemed to grow doubly cool as smartphones exploded in popularity over the past decade or so. All of a sudden, everyone had access to apps that could scan QR codes and whisk them away to wherever marketers, ticket processors or payment players wanted to send them.

And while you used to have to download specific QR code-scanning apps for the privilege of accessing whatever information was programmed into those tiny squares, many modern-day Android and iOS camera apps can now read the codes natively. In short, QR codes have hit the mainstream.

However, as Sophos’ security news site Naked Security points out, the creator of the QR code didn’t envision this system being used too far beyond keeping car parts organized and, as such, is concerned about possible security implications:

He’s right to be concerned. Attackers could compromise people in various ways using QR codes.

One example is QRLjacking. Listed as an attack vector by the Open Web Application Security Project (OWASP), this attack is possible when someone uses a QR code as a one-time password, displaying it on a screen. The organisation warns that an attacker could clone the QR code from a legitimate site to a phishing site and then send it to the victim.

Another worry is counterfeit QR codes. Criminals can place their own QR codes over legitimate ones. Instead of directing the user’s smartphone to the intended marketing or special offer page, the fake code could take users to phishing websites or those that then deliver JavaScript-based malware.

They could also exploit the growing use of QR codes for payments. A fraudster could replace a QR code taking people to a legitimate payment address with their own fake payment URL.

Let’s take a closer look at the counterfeit QR code example mentioned above.

If you’re scanning a QR code that’s supposed to take you to a legitimate website, how can you be sure that it’s actually taking you to a safe place? Well, if you’re using the QR code-scanning feature built into your default camera app or many other run-of-the-mill scanning apps, the unfortunate reality is that you can’t be sure. The sole goal of such features is simply to unscramble the QR code and surface a link for you to click on.

Fortunately, we’ve created a free app that will scan QR codes and tell you if the site they’re sending you to is safe or not. It’s called Sophos Mobile Security, and is available for Android and for iPhone.

Here’s a quick video showing what happens when you scan a malicious QR code with a standard QR code scanner versus what happens when you scan it with Sophos Mobile Security:

[embedded content]

You’ll notice that the standard Android camera app just surfaces the link to be clicked on, while the Sophos Mobile Security QR code reader prompts the user with a warning first.

Also note that Sophos Mobile Security does a lot more than just scan QR codes. It’s just one of many free tools we offer over on our aptly-named Free Tools page. Check it out!

Please do note that the “malicious” site used in the above video is a testing site we use to gauge how our various security products react to malware. It’s not actual malware but it’ll give you a sense of how the Sophos Mobile Security QR code scanner would treat a malicious QR code in the real world. For comparison purposes, the QR code at the top of this post sends you to – a safe site.

Latest Posts