back to article Crazy square barcodes can point your phone to MALWARE

Russian VXers have begun using obnoxious barcode-on-steroids QR codes as a launchpad for mobile malware. A recently identified malicious Quick Response code on a Russian website links through a series of redirections to a site punting a Trojan version of the Jimm mobile ICQ client. Android users who follow the links and …


This topic is closed for new posts.
  1. Your Retarded

    QR code readers are available for many popular mobile platforms

    See title

  2. Martijn Otto

    Permissions anyone?

    And that is why you should always check whether applications do not request funny permissions.

    Also, it's a good idea to install LBE Security Guard. This way, you can still install these applications, but only allow them access to the things you want to get to.

  3. thefutureboy
    Thumb Up

    Ha ha ha

    'Help, help, I'm under attag'

    That made me larf.

  4. Anonymous Coward
    Anonymous Coward

    I'm off to buy some sticky labels...

    to print with dodgy QR codes and hijack some advertising posters.

    While it might not get quite the same uptake as breaking into a mainstream website and inserting malicious code or appropriate protest messages, would it not be somewhat easier simply to stick replacement dodgy codes over the official ones on advertising posters in well attended areas and wait for people to blindly scan them?

    (V mask, obviously!)

    1. Yag

      Should I advise you...

      To print some "goatse" or "bluewaffle" tags?

      (warning : don't google those at work. Nor at home. Nor anywhere if you value your sanity.)

  5. Crazy Operations Guy Silver badge

    This could get serious

    An attacker could easily print up a poster for a band, a store or whatever is popular that advertises a free app that will send you special offers and giveaways via SMS and show you the latest deals or news.

    Or a cheaper way would be to get some printable sticker sheets and place the phoney QR code over legitimate ones. The shopping mall where I live already has QR tags all over the place and I wouldn't be surprised if some of them where booby-trapped given the large population of security researchers.

    1. Tom Chiverton 1


      SO it's exactly the same risk/reward trade off as typing a random server URL from an advert into your phone.

      1. Brangdon

        No. A server URL is human-readable, so if it ends in, for example, you can decide how much you trust Disney. If a Disney advert has a dodgy-looking URL, you can figure it maybe isn't really Disney. With the barcodes you have no idea where they'll take you so you don't know who you are trusting, and you can't tell if the barcode doesn't match the advert.

      2. James Micallef Silver badge

        with the difference that if I'm looking up info on a product made by Brand X, I can feel fairly safe if the URL starts with

        Of course, no guarantees just like everything else, however I would prefer if at least the phone had the option to read the tag and show the URL on the screen WITHOUT connecting to it.

        1. Your Retarded

          show the URL and give a choice

          Some apps do indeed have this feature.

          I use the Kaywa mobile reader. It's available for several platforms.

          I am not affiliated with them in any way.

  6. Anonymous Coward
    Anonymous Coward

    phew, at least I'm safe

    as a Winpho7 user, I haven't found a QR app that actually works

    1. alwarming

      Re: as a Winpho7 user, I haven't found a QR app that actually works

      Or any other non-M$ app for that matter, eh ? ;-)

      I guess the reason is M$ are pushing thier own QR equiv which had colors and common shapes like triangles etc. I think the problem was it didn't have good error correction, was costlier to print

      (in color) and was harder to spot in colored posted with triangles and squares!

  7. Anonymous Coward
    Anonymous Coward

    Isn't this just like...

    ...those stupid link shorteners in their scamtastic properties?

    "Ooh, sounds so cool! Everything-ly makes me sound so distant and yet cool at the same time! Let's start posting links that stop working and rely on some iffy domain registry everywhere on the interwebs!"

  8. Steve Knox

    And here is where every system fails:

    "..apart from the fact users might be more trusting about a non-human-readable QR code than a conventional URL."

    Yes. Sad but true. People are often more trusting about something they CAN'T READ to verify for themselves than about something they can.

    Some of us are very smart. On average, though, we are really damned stupid.

  9. Anonymous Coward
    Anonymous Coward

    Not really new...

    I saw some of these square things pop up on /b/ pretty much as soon as they became used; never checked where these were leading, but somewhere at least a tiny bit nasty, I'd guess.

  10. Sadako


    Sweet. I'm gonna print up some QR codes that point to lemonparty and stick them on the tube

  11. Dadz

    In the wild already

    Found two in the wild already. In Vancouver, one stuck to the wall of the City Centre subway station, "Win a fantastic iPad 2" with a QR code - that points to an unrecognizable URL. Another one under a wiper, "Pizza Hut - Win your Pizza" asking me to download a getmobio app then scan the QR code to order the pizza - but the URL is also unrecognizable. The first one is a scam, the second one may be legitimate, but I don't trust either.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019