The increasingly visible black-and-white 2D codes appearing on packaging and pages could someday have a dark side: malware. In one of the first instances of a malicious QR code found in the wild, security firm Kaspersky Lab discovered a Russian Web site offering a QR code that downloaded an app that automatically scammed the user out of money.
“The app is a trojan,” says company Malware researcher Tim Armstrong. The code pretends to be linking the user to a mobile chat client, and the download does appear to be an ICQ program. But in reality, the app accesses the SMS functions of a user’s Android device and sends premium text messages costing $6 each to the benefit of whoever sets up the premium number.
Through many text providers in Russia and elsewhere in the world, just about anyone can set up a premium number to reap an easy profit from such a scam.
According to Armstrong, additional instances of the QR malware have been detected. This may just be a proof of concept from the large underground of malware makers worldwide. “But if it is shown that this made the authors any kind of money, you can count on this happening again,” he says.
While the QR vehicle is new, the basic model of using an app to clandestinely trigger premium SMS is not.
“We have seen this in older Nokia and J2ME systems, but the current [smartphones} are much easier to get access to things.” Upon installation, Android apps of any sort ask the user for permission to access a range of services, from geolocation to camera and messaging.
Many people routinely grant permission without paying close attention to the particulars. Armstrong says that Android phones are especially vulnerable, while Kaspersky sees virtually nothing like it on iPhones. The level of security in the iOS is such that the effort is too high and payoff too small for most malware authors to bother.
The problem for consumers, media and marketers is that there is no way to easily distinguish a good from a bad QR code. Nothing in their appearance suggests something is amiss. Even the process of linking from a code often involves several crosslinks under normal circumstances, making it harder for someone to detect a scam.
As consumers become more comfortable using QR codes as an intermediary for acquiring information or discover new apps, the opportunities for malicious and scam appware escalate, Armstrong says. He expects a greater emphasis on mobile security as the app ecosystem expands and malware authors identify another opportunity to dial up quick bucks.
A spokesman for 2D mobile code services provider ScanBuy tells Online Media Daily that they have been made aware of such QR code scams in recent weeks. The company recommends that marketers and media stick with trusted managed services providers, where access to their codes and their links is protected against tampering.
ScanBuy suggests that working with or promoting trusted QR readers could be a line of defense as well. “Our app, for example, could block or warn users if we detect malicious content in the code,” the company states.