Malicious QR Codes? Believe It Or Not, They Exist

I wouldn’t go as far to say that QR codes are “popular”, but they’re definitely out there. Recently, I spotted one on the door to a coffee shop. Its purpose? To let job-seekers scan it and get a quick link to an application form, saving them from even going through the door. You know – assuming they didn’t want some delicious coffee and pastries. Likewise, QR codes are being featured in magazines, in stores and even in airports.

You know what this means, don’t you? It means that QR Codes can also be used for malicious intent, because nothing positive can exist without a negative (scientific theory aside). QR codes are designed to store raw text, with the most common purpose being to save mobile users from having to type in a URL. The problem is, QR codes are seriously convenient, so it’s likewise seriously convenient for someone to create one that links to a malware-infested website – or worse, one that automatically executes code.

Depending on the software and the phone, the latter problem happening is going to be rare, but it does remain a possibility. The more likely scenario will be someone programming a malicious URL into one and sticking it in a public place for those who walk on by curious enough to scan it. Or even better – printing out a QR code to place over top of a legitimate one in a public place. Take that coffee shop I mentioned earlier, for example.

In all, the chances of you stumbling on a genuinely malicious QR code at this point in time is likely to be about as common as winning the lottery, but once more people wise-up to the possibilities, who knows? If you want to be safe, be sure to use barcode-scanning software that doesn’t automatically execute code, and if you scan one that gives a URL, ignore it if it doesn’t look legitimate.