Russian VXers have begun using obnoxious barcode-on-steroids QR codes as a launchpad for mobile malware. A recently identified malicious Quick Response code on a Russian website links through a series of redirections to a site punting a Trojan version of the Jimm mobile ICQ client. Android users who follow the links and install …
QR code readers are available for many popular mobile platforms
And that is why you should always check whether applications do not request funny permissions.
Also, it's a good idea to install LBE Security Guard. This way, you can still install these applications, but only allow them access to the things you want to get to.
Ha ha ha
'Help, help, I'm under attag'
That made me larf.
I'm off to buy some sticky labels...
to print with dodgy QR codes and hijack some advertising posters.
While it might not get quite the same uptake as breaking into a mainstream website and inserting malicious code or appropriate protest messages, would it not be somewhat easier simply to stick replacement dodgy codes over the official ones on advertising posters in well attended areas and wait for people to blindly scan them?
(V mask, obviously!)
Should I advise you...
To print some "goatse" or "bluewaffle" tags?
(warning : don't google those at work. Nor at home. Nor anywhere if you value your sanity.)
This could get serious
An attacker could easily print up a poster for a band, a store or whatever is popular that advertises a free app that will send you special offers and giveaways via SMS and show you the latest deals or news.
Or a cheaper way would be to get some printable sticker sheets and place the phoney QR code over legitimate ones. The shopping mall where I live already has QR tags all over the place and I wouldn't be surprised if some of them where booby-trapped given the large population of security researchers.
SO it's exactly the same risk/reward trade off as typing a random server URL from an advert into your phone.
No. A server URL is human-readable, so if it ends in disney.com, for example, you can decide how much you trust Disney. If a Disney advert has a dodgy-looking URL, you can figure it maybe isn't really Disney. With the barcodes you have no idea where they'll take you so you don't know who you are trusting, and you can't tell if the barcode doesn't match the advert.
with the difference that if I'm looking up info on a product made by Brand X, I can feel fairly safe if the URL starts with X.com
Of course, no guarantees just like everything else, however I would prefer if at least the phone had the option to read the tag and show the URL on the screen WITHOUT connecting to it.
show the URL and give a choice
Some apps do indeed have this feature.
I use the Kaywa mobile reader. It's available for several platforms.
I am not affiliated with them in any way.
phew, at least I'm safe
as a Winpho7 user, I haven't found a QR app that actually works
Re: as a Winpho7 user, I haven't found a QR app that actually works
Or any other non-M$ app for that matter, eh ? ;-)
I guess the reason is M$ are pushing thier own QR equiv which had colors and common shapes like triangles etc. I think the problem was it didn't have good error correction, was costlier to print
(in color) and was harder to spot in colored posted with triangles and squares!
Isn't this just like...
...those stupid link shorteners in their scamtastic properties?
"Ooh, shit.ly sounds so cool! Everything-ly makes me sound so distant and yet cool at the same time! Let's start posting links that stop working and rely on some iffy domain registry everywhere on the interwebs!"
And here is where every system fails:
"..apart from the fact users might be more trusting about a non-human-readable QR code than a conventional URL."
Yes. Sad but true. People are often more trusting about something they CAN'T READ to verify for themselves than about something they can.
Some of us are very smart. On average, though, we are really damned stupid.
Not really new...
I saw some of these square things pop up on /b/ pretty much as soon as they became used; never checked where these were leading, but somewhere at least a tiny bit nasty, I'd guess.
Sweet. I'm gonna print up some QR codes that point to lemonparty and stick them on the tube
In the wild already
Found two in the wild already. In Vancouver, one stuck to the wall of the City Centre subway station, "Win a fantastic iPad 2" with a QR code - that points to an unrecognizable URL. Another one under a wiper, "Pizza Hut - Win your Pizza" asking me to download a getmobio app then scan the QR code to order the pizza - but the URL is also unrecognizable. The first one is a scam, the second one may be legitimate, but I don't trust either.