The content of a QR Code is a mystery until it is scanned. If it decodes as a URL, much like a normal website hyperlink you can not be absolutely sure where your browser will eventually take you. However one thing you can be sure of is that someone somewhere wants you to download their malicious code on to your mobile device.
QR Codes cannot in themselves be harmful but like a normal website link the end point can be a URL that will encourage you in some way to download malevolent code. In the case of a mobile device this will most likely be contained in an app, so downloading the app will infect your mobile.
This is not so much of a concern if you are using an iPhone because apps are supposed to be meticulously checked and verified to contain safe code. However in the past iPhone security holes have been found (and then patched) including vulnerabilities in opening PDF files which would have allowed the introduction of malware.
So the risk can never be zero whatever your mobile device but at the moment the likelihood of downloading malware via a QR Code is extremely small. For those who would like to lessen the risk even more than it is, here are four possible ways to protect yourself.
1. Use a QR Code scanner with built in security.
QR Pal allows users to scan, store and share QR codes but it also has a feature called SafeScan. QR Pal users can use SafeScan (enabled by default) so when a scan takes place it calls their API providing the target URL. The target URL is first checked against QR Pal’s internal blacklist which is made up of known bad URLs, user submitted URLs and previous positive malware results from scans. QR Pal’s system then performs it’s own internal checks based on rules they have set and if negative proceeds to multiple popular 3rd party APIs before returning the result to the user.
If a positive result for malware is found the user is provided with a clear indication that the target website could be malicious. The user also get a warning if the user does not have an active internet connection meaning that SafeScan cannot check and gives the user the ability to save the code for later.
QR Pal is free at the moment.
QR Pal iOS 3.0+
QR Pal Android 2.1+
2. Use a security app with a built in QR Code scanner.
Norton well known for their security and anti-virus products have released Norton Snap a secure QR Code reader which makes use of Norton’s ‘Safe Web’ service to provide reputation information on URLs found via QR Codes. Depending on the data decoded from the scanned QR code, different actions are taken but if the data matches a standard web URL, then the Norton ‘Safe Web’ rating is fetched for that URL and displayed for the user. To get more information about a site’s rating, the user can click the rating icon to visit the full report on the ‘Safe Web’ website.
The user also has the option to enable automatic loading of all websites rated green or “safe”. This way the user will only be notified if the website has a red or ‘warning’ rating. Norton Snap also has support for lengthening shortened URLs. If a URL is determined to be using a URL shortening service, then it can be lengthened and the Safe Web report will be displayed for the lengthened URL. This provides much more useful information than reporting on shortened URLs.
One of the cool features of the Norton Snap iOS app is that if it encounters a URL pointing to the Android Market, it will offer the option to search for a similarly named app on the iOS App Store. This is important because it turns all those Android Market QR codes that are normally unusable by iOS users into useful links! Norton Snap is free at the moment.
Norton Snap iOS 4.3+
Norton Snap Android 1.6+
Norton Snap is free at the moment.
3. Use an antivirus app.
For a few dollars you can download an antivirus app that will at a minimum scan your apps, settings, files and media in real time and remove harmful apps automatically. Using an antivirus app has the added bonus that not only will you be protected against malicious links but also against infected email attachments and file downloads.
Because I have an Android phone I use AVG’s Antivirus Pro which used to be DroidSecurity Antivirus until purchased and then improved by AVG. As well as the above it has theft protection features which include locating a lost or stolen device using GPS, creating and displaying message on screen remotely and locking the device and wiping content.
iPhone users considering antivirus may want to take a look at VirusBarrier iOS 4.0+
AVG Anti-Virus Pro Android 1.6+
4. Use common sense.
- If you are scanning a QR Code fly posted on a sidewalk trashcan you will need to be more vigilant than when scanning a QR Code in a Ralph Lauren ad in the Wall Street Journal.
- Do some research on apps before downloading them. Who is the publisher, what are the ratings and are there honest reviews?
- Only download from a reputable app store market.
- When you install an app in Android mobiles you will see a list of permissions that the app requires to access the hardware and software components on your device such as Send SMS, Read/Write Contact Data, Full Internet Access etc. Read the permissions and if you see something that doesn’t look right then check it out before installing the app. For example if you are installing a sound recording app it should not need access to your contacts or need to send an SMS.
- Consider leaving the Unknown Sources option disabled.
The bottom line in my opinion is that QR Code malware on your mobile is very low risk at the moment but if you want something to worry about on your mobile forget viruses and concentrate on preventing bacteria 🙂