Security company cautions on malicious 'QR' mobile barcodes

An example of a QR code

Security software maker AVG has warned of the potential dangers to business and consumer users of smartphones and tablets being posed by their use of QR codes.

QR (quick response) codes, and similar mobile tagging formats, can be targeted and manipulated by cyber criminals to easily steer victims to malicious web sites in a new avenue to steal identities and commit fraud.

The matrix style, geometric barcodes can be seen in magazines, on billboards, street posters, buses and merchandise, and are providing highly convenient access to information, incentives and special deals.

But malicious QR codes can be easily generated and placed as stickers over the legitimate QR codes for both small and large-scale attacks on personal and financial identity. Printed flyers offering irresistible deals, but accessible only via a QR code can easily be left in public places.

By such simple means, cyber criminals, skilled at using sophisticated attacks like spear phishing or other variants of social engineering, can then use their own malicious QR code to phish or pharm the unsuspecting smartphone user to a web page designed to look as though it is a legitimate advertiser. Once on the pseudo webpage, the victim will fill out a form to sign up for the service or competition, in doing so, handing over their private details and/or money to the cyber criminals.

Using other less subtle tricks, cyber criminals can direct browser users to malicious web pages and install malware on their mobile device.

Lloyd Borrett, Security Evangelist of AVG (AU/NZ) has a very clear message for users of smartphones, or any other mobile computer device with in-built cameras: “You must think of your device as the being the powerful mobile computer it is. Take similar security precautions when out and about with your smartphone or tablet as you do when using a personal computer at home or work. Have always on, up-to-date security software installed on your device. And, always think through every action before you click on a bargain.”

QR safety tips

  • Never implicitly trust any QR code. Be suspicious and alert when you go to use it.
  • Make sure you have security software installed on your mobile device. The vast majority of smartphone, tablet and e-reader users currently do not have any security software installed. Yet these devices can be even more susceptible to malicious attacks by cyber criminals. Free and paid security software solutions are available for most device platforms.
  • If QR code takes you to a web page which asks you to provide your user name, password, bank account details, and/or credit card details, then the person behind the web page is either a thief or an idiot! Do not provide those details to them.
  • If a QR code takes you to a web page where you need to login, don’t login. Instead, go directly to the web page by putting the correct URL into your browser address bar, or via some other trusted means. Doing this means you are much less likely to fall victim to a phishing scam.

“Our surveys show that the majority of people aren’t even password protecting their smartphone and tablet devices,” said Borrett. “Yet they need to be doing much more, including installing a good security solution like AVG Mobilation for Android. Then they will have protection in place that will check apps and web site content for malware should they be tricked into using a malicious QR code.”

About QR codes
QR codes are specific, two dimensional, black on white square matrix barcodes that are readable by devices such as smartphones. The encoded information, in text, URL or other data format, can be up to 7,089 characters as opposed to the 20 character limit of a standard barcode.

Although initially used for tracking parts in vehicle manufacturing by Toyota subsidiary Denso-Wave, QR codes are now used in a much broader context, including both commercial tracking applications and convenience-oriented applications aimed at mobile phone users — termed mobile tagging.

QR codes can be used to display text to the user, to add a vCard contact to the user's device, to open a Uniform Resource Identifier (URI), or to compose an email or text message. Users can also generate and print their own QR codes for others to scan and use by visiting one of several free QR code generating sites.

Users with a camera phone equipped with the correct reader application can scan the image of the QR code to display text, contact information, connect to a wireless network, or open a web page in the smartphone's browser. The act of linking from physical-world objects is termed hard-linking or object-hyperlinking.

“Please be warned that QR codes aren't the only mobile tagging code format in use,” Borrett added. “There are a number of other proprietary and non-proprietary, optically readable codes around. For most of them the same security concerns and safety warnings apply. So please play it safe when using all of them.”

4 · Got a question about this story? Leave it in Comments & Questions below.

This article is tagged with the following keywords. Find out more about MyNBR Tags

Post Comment

4 Comments & Questions

Commenter icon key: Subscriber Verified

Are there any examples of cybercrime QR codes?

  • 0
  • 0

Sounds a lot like security evangelising for the sake of publicity to me.

  • 0
  • 0

Thnx for this wonderful application insight info .I have read about qr codes,i have got a keen interst in qr codes & i wanna learn things regarding qr codes so that i cud do something related to qr code, my wht nxt to do. specially in educational field & personal networking i.e. business card etc,looking forward ur guidance like a mentor

kind rgds

  • 0
  • 0

QR tags are wonderful but you still need to expose them to everyone. A great platform for that is the new website which is a platform for small business to market themselves (QR tags) through social media potentially reaching thousands of customers.

  • 0
  • 0

Post New comment or question

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

NZ Market Snapshot


Sym Price Change
USD 0.6793 -0.0013 -0.19%
AUD 0.9009 0.0003 0.03%
EUR 0.5800 0.0019 0.33%
GBP 0.5154 -0.0003 -0.06%
HKD 5.3064 -0.0165 -0.31%
JPY 76.0900 -0.1540 -0.20%


Commodity Price Change Time
Gold Index 1296.5 15.490 2017-11-17T00:
Oil Brent 62.7 1.370 2017-11-17T00:
Oil Nymex 56.6 1.440 2017-11-17T00:
Silver Index 17.4 0.300 2017-11-17T00:


Symbol Open High Last %
NASDAQ 6794.7 6797.8 6793.3 -0.15%
DJI 23433.8 23433.8 23458.4 -0.43%