Feeds

back to article Crazy square barcodes can point your phone to MALWARE

Russian VXers have begun using obnoxious barcode-on-steroids QR codes as a launchpad for mobile malware. A recently identified malicious Quick Response code on a Russian website links through a series of redirections to a site punting a Trojan version of the Jimm mobile ICQ client. Android users who follow the links and install …

COMMENTS

This topic is closed for new posts.
Go

QR code readers are available for many popular mobile platforms

See title

0
1
Bronze badge

Permissions anyone?

And that is why you should always check whether applications do not request funny permissions.

Also, it's a good idea to install LBE Security Guard. This way, you can still install these applications, but only allow them access to the things you want to get to.

0
1
Thumb Up

Ha ha ha

'Help, help, I'm under attag'

That made me larf.

3
0
Anonymous Coward

I'm off to buy some sticky labels...

to print with dodgy QR codes and hijack some advertising posters.

While it might not get quite the same uptake as breaking into a mainstream website and inserting malicious code or appropriate protest messages, would it not be somewhat easier simply to stick replacement dodgy codes over the official ones on advertising posters in well attended areas and wait for people to blindly scan them?

(V mask, obviously!)

7
0
Yag
Devil

Should I advise you...

To print some "goatse" or "bluewaffle" tags?

(warning : don't google those at work. Nor at home. Nor anywhere if you value your sanity.)

2
0
Bronze badge

This could get serious

An attacker could easily print up a poster for a band, a store or whatever is popular that advertises a free app that will send you special offers and giveaways via SMS and show you the latest deals or news.

Or a cheaper way would be to get some printable sticker sheets and place the phoney QR code over legitimate ones. The shopping mall where I live already has QR tags all over the place and I wouldn't be surprised if some of them where booby-trapped given the large population of security researchers.

0
0

!serious

SO it's exactly the same risk/reward trade off as typing a random server URL from an advert into your phone.

0
0
FAIL

No. A server URL is human-readable, so if it ends in disney.com, for example, you can decide how much you trust Disney. If a Disney advert has a dodgy-looking URL, you can figure it maybe isn't really Disney. With the barcodes you have no idea where they'll take you so you don't know who you are trusting, and you can't tell if the barcode doesn't match the advert.

0
0
Silver badge

with the difference that if I'm looking up info on a product made by Brand X, I can feel fairly safe if the URL starts with X.com

Of course, no guarantees just like everything else, however I would prefer if at least the phone had the option to read the tag and show the URL on the screen WITHOUT connecting to it.

0
0
Happy

show the URL and give a choice

Some apps do indeed have this feature.

I use the Kaywa mobile reader. It's available for several platforms.

I am not affiliated with them in any way.

0
0
Anonymous Coward

phew, at least I'm safe

as a Winpho7 user, I haven't found a QR app that actually works

2
0

Re: as a Winpho7 user, I haven't found a QR app that actually works

Or any other non-M$ app for that matter, eh ? ;-)

I guess the reason is M$ are pushing thier own QR equiv which had colors and common shapes like triangles etc. I think the problem was it didn't have good error correction, was costlier to print

(in color) and was harder to spot in colored posted with triangles and squares!

0
0
Anonymous Coward

Isn't this just like...

...those stupid link shorteners in their scamtastic properties?

"Ooh, shit.ly sounds so cool! Everything-ly makes me sound so distant and yet cool at the same time! Let's start posting links that stop working and rely on some iffy domain registry everywhere on the interwebs!"

1
1
Silver badge
Facepalm

And here is where every system fails:

"..apart from the fact users might be more trusting about a non-human-readable QR code than a conventional URL."

Yes. Sad but true. People are often more trusting about something they CAN'T READ to verify for themselves than about something they can.

Some of us are very smart. On average, though, we are really damned stupid.

1
0
Anonymous Coward

Not really new...

I saw some of these square things pop up on /b/ pretty much as soon as they became used; never checked where these were leading, but somewhere at least a tiny bit nasty, I'd guess.

1
0
Devil

>:-D

Sweet. I'm gonna print up some QR codes that point to lemonparty and stick them on the tube

0
0
Alert

In the wild already

Found two in the wild already. In Vancouver, one stuck to the wall of the City Centre subway station, "Win a fantastic iPad 2" with a QR code - that points to an unrecognizable URL. Another one under a wiper, "Pizza Hut - Win your Pizza" asking me to download a getmobio app then scan the QR code to order the pizza - but the URL is also unrecognizable. The first one is a scam, the second one may be legitimate, but I don't trust either.

0
0
This topic is closed for new posts.