Tuesday, April 3, 2012

Never Trust a QR Code

Never trust a QR Code

In a followup to my previous article 'What Are QR Codes
The QR code has evolved into something more functional, something smarter... something malicious even!
No longer are these funny looking black and white squares only for websites, to download special apps or give us coupons or promotions.

Now, QR Codes are among the newest threats to mobile devices. The threat itself is called "Attaging" or Attack Tagging. which is done by spoofing QR codes. The smartphone user will scan and access a QR code, however it has been modified to deliver the user to some sort of malicious site, or content. Hackers simply replace a QR code on an advertisement (maybe a drive through menu sign?) that could lead to malware, Trojans or viruses.

Once you have You have to scanned it, you are at the mercy of the code. it may lead to a website that looks totally legitimate, however it's secretly uploading a trojan to your smartphone in the background. It infects  your smartphone and sends SMS messages to a pay service, or something that charges your smartphone account. Unfortunately, you won't see it until the bill comes in.

This is called an 'SMS Trojan' which is a very popular A common method to generate income via malware on a mobile device.

More seriously though, is exploits that try to 'root' a smartrphone. This enables a hacker to have full administrative access to your smartphone. This is the same (and in some cases beyond) as an administrator would have access to a network, or a device. The 'root' access allows unrestricted access, so just about anything can be done that device without any restrictions, or safeguards. The smartphone can be erased, data stolen - even uploaded to someone else. Your contacts, address book, personal information - even the serial number (EMEI) number of your smartphone can be identified and even cloned. (This could mean a whole bunch of people using your same EMEI number to make calls, send SMS, purhase products etc.) All on your dime.

The best advice when using QR codes - if the advertiser has a website printed on their advertising along with a QR code, make sure it matches the product in some way. if you are unsure or have any doubt. Don't scan the QR code!