08.26.11

QR Code: a channel to spread malware?

Not everyone knows what a QR Code is or how they can be used.

A QR Code is a specific matrix barcode (or two-dimensional code), readable by dedicated QR barcode reader.  There are many QR Code Reader apps available today for camera phones. The code consists of black modules arranged in a square pattern on a white background. The information encoded can be text, like a URL, or other data.

QR (“Quick Response”) codes are now used in a much broader context, including both commercial tracking applications and convenience-oriented applications aimed at mobile phone users (known as mobile tagging). QR codes can be used to display text to the user, to add a vCard contact to the user’s device, to open a link, or to compose an email or text message.

Though we are not still used to see them, QR codes started appearing in magazines, on signs, buses, business cards, or on just about any object about which users might need information.

Users with a camera phone equipped with the correct reader application can scan the image of the QR Code to display text, contact information, connect to a wireless network, or open a web page in the phone’s browser.

My immediate thought about this powerful technology was: what if cybercriminals start experimenting with this new technique to spread mobile malware?

I would like to show you how it is easy to create a QR Code of a webpage of your own and distribute it or print everywhere so that people can get and open your webpage from their mobile devices.

Let’s suppose I want to generate a QR Code for my personal security blog http://www.securitysurfer.com .
The procedure is very easy:

I take my blog link and I shorten it using Google application or bit.ly service

[Figure 1 – Shortening Process of SecuritySurfer.com]

Then once I get the shorten link I append to it the “.qr” extension getting the following result:

[Figure 2 – QR Code of SecuritySurfer.com]

Figure 2 shows the QR Code I have generated for my personal security blog.

Now I can print and distribute it everywhere so people using mobile devices with a camera equipped and software to read QR Code can get it and browse my security blog.

Now, what about generating a QR Code for a malicious website? Have you ever thought about it? Despite years of internet security experts reminding users to not click links they do not trust, users continue to click links in email and on websites without knowing where they will take them.

While QR codes are not as familiar to most end users today, their use is on the rise and they present a similar risk.

It is reasonable to expect cybercriminals at a minimum to experiment with QR Codes, especially while consumers are still learning about them.

So what can you do to reduce the risk of threats in this area?

  1. Never trust what is unknown: be very sceptical of QR Codes distributed around the world.  Look towards established brands when using QR codes.  Attacks can still happen but when working with an established brand there is more likely a support process in place in case there is a problem
  2. Install a Security Suite on your mobile device: needless to say, it is very important to install a Security software on your mobile device.  Total Defense offers “Mobile Security” product for the Android, Symbian, Blackberry, and Windows Mobile platforms

Total Defense Global Internet Security Intelligence Team considers QR Codes a possible attack vector in the near future and we will continue to closely monitor the mobile threat landscape.  Through proactive research and communication we strive to  inform users and prevent digital compromise of your computing devices and personal information.