“If it is shown that this made the authors any kind of money, you can count on this happening again,” one malware expert told Silicon Angle.
Because a user has no way to verify where the code is directing them, a code can download malware without the user ever knowing.
“When users are affected with malware on a mobile device, there’s little visibility in the security world of what that looks like. Most security software is looking for malicious apps, but not something from a malware standpoint,” Percoco said.
QR codes are being used everywhere– from billboards to produce stands to libraries to nature trails. So for hackers the codes become an easy vector to target mobile devices. Percoco says hackers could build a rouge QR code in a matter of minutes and deploy them as random stickers or overlays on existing QR codes. Many legit QR codes are displayed in public, with no explanation, to entice customers into decoding the image to see what’s next.
“There was a billboard that was 30 feet by 15 feet in downtown Chicago that was literally only a QR code,” Percoco said.
Trustwave Spiderlabs first realized the potential for QR codes as a delivery mechanism for malicious content earlier this year while researching iPhone vulnerabilities. Researchers found that they could successfully infect a smartphone with malware that could jailbreak the phone and give them access to any data contained on the phone including contacts, email addresses, and text messages.
On both Android phone and iPhones, they were able to use malware to gain access to the phones' cameras and microphones to record pictures and audio. Using malware downloaded from a site linked to a QR code, a hacker could access a person’s phone to see when their next meeting was, then record the audio from the meeting, for example.
The protection against QR code-based attacks, Percoco said, is not to “scan random QR codes you see while walking on the street.” The second is to use a QR app that doesn’t send a browser directly to a Web page. Some apps show a preview of the Web page or the URL that the code directs to.
“There aren’t a lot of mechanisms, from a mobile perspective, to look for malicious sites. So that being the case, the best solution is to avoid QR codes where you can or if you don’t trust the source,” he said.