Computerworld

Beware of malicious QR codes: Report

Smartphone users advised to check QR codes are legitimate before scanning them

Cyber criminals have taken advantage of the proliferation of quick response (QR) codes on posters and marketing material by putting their own malicious stickers over the top of legitimate ones, warns security vendor, AVG Australia and New Zealand.

QR codes can be read by scanning the sticker or typing in the code using a smartphone with a QR code reader.

In its latest report, entitled AVG Community Powered Threat Q4 2011, the company warns that cyber criminals are now producing their own QR codes which contain text and URLs with hidden malware. For example, one piece of malware called 'JimmRussia' sends costly SMS messages to premium numbers and also redirects to a URL which downloads a malicious file.

AVG Technologies chief technology officer, Yuval Ben-Itzhak, said in a statement that the smartphone user does not know what lurks behind the code until the malware is installed and running. “Putting a malicious QR code sticker onto existing marketing material or replacing a website’s bona fide QR code with a malicious one could be enough to trick many unsuspecting people,” he said.

Ben-Itzhak added that compromising a website and replacing its legitimate QR code with malicious ones may not get the website owner’s attention fast enough before the websites’ mobile visitors get infected.

The report also found an increase in Android malware samples.

In December last year, Google removed another 22 malicious apps from the Android market, making a total of over 100 apps found in 2011.

Ben-Itzhak added that the use of stolen certificates is also making its way to mobile devices. “Digital certificates are often used to certify the identity of the author of an application,” he said.

“If a criminal can get their hands on the certificate belonging to a major software developer, their malware can circumvent security provisions and give users a false sense of security.”

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU