Infected QR Codes Or Mashable Hype?

I was going to write something about the recent so called ‘QR Code virus’ but Eismann Oreilly has already done a great job so here is his article (posted with kind permission of the author).

QR Codes Viruses – Should We Panic?

In the last days an alert of a QR code virus was spread in the Internet. Twitter was full of warnings regarding the QR code virus, including tweets suggesting that this will kill QR codes. Various sites covered the issue including Mashable and Econsultancy. Almost all reports mention Kaspersky labs that provide antivirus software and reported the bug.

What are these malicious QR codes and can we protect ourselves from them? Should we panic and stop scanning these codes? And the most interesting questions of all – Is there such a thing as a QR code virus?

Why such an alert creates panic?

QR codes are not readable by humans. When you scan a QR code using your mobile phone you are in a sense helpless – in the hand of technology. The code you are scanning has nothing in its appearance that can tell you whether it is safe or not. Moreover you even do not know where it will take you. That’s why QR codes are so great – they enable you to do relatively complicated things with just a click. Many times QR codes are clicked just out of curiosity only because you know that nothing bad will happen. But what happens when you take this assumption out? What happens if by simply clicking it you have suddenly ruined your phone, or being robbed? Well one thing is sure nothing bad will happen to you from simply clicking or decoding a QR code. QR codes may at worst take you to a web site and from there the situation is completely under your control, otherwise surfing the web would have been a dangerous thing to do and we all know this is not the situation.

QR codes cannot be viruses!

A virus must be a part of an executable – meaning a part of an app that runs on your mobile device. QR codes have no executable data encoded in, and even if they contained machines instructions for some devices – no QR code reader is capable of executing them. So one thing must be stated clear – QR codes cannot be viruses. At the worst case they can point to a URL that will suggest you to download an app that if you choose to download it – you may (only on certain platforms) download a malware. The problem lies in downloading the app, not the QR code itself. You still have all the control in the world to decide whether to download the app or not. Nobody suggests stop using apps because some apps may contain viruses that will harm you, instead some people suggest stopping using QR codes because they might point to such apps.

Let’s face it, claiming this has the same logic as claiming that advertisement should not be used just because ads may suggest you to download apps containing viruses. In most platforms it is safe to download apps, while in other platforms you will be given warnings during the app installation regarding what the app intends to do. You can in any point decide not to download the app if something looks suspicious to you. So let’s see first how the mentioned virus operates, which platforms are safe and what can we done in the currently unsafe environments. It appears that we can protect ourselves when using these platforms with a few simple steps.

How the virus operates?

A virus must be a part of an executable – meaning hiding in an app that will execute on your mobile device. The specific virus mentioned steals money from you by sending SMS to premium rate numbers behind the scenes, charging you 6$ for the each SMS. Note that this was effective only in Russia and doing such a thing in the U.S for example is much more difficult since setting up such numbers in the U.S is not a simple procedure as it happens to be in Russia. Moreover the virus can operate only on Android devices through a security hole in the Android platform. This security hole does not exist on iPhone devices so iPhone users can continue QRing without worry. It also does not exist on Symbian and other platforms as well.

The reason it does not exist on the iPhone platform is that Apple checks every app for all kinds of security threats before confirming it to the app store, so that you cannot download an app that will contain viruses including sending SMS without your knowledge. Similar procedures exist in other platform too. I assume that I am loosing now the interest of iPhone and other non Android users, the rest of the post is naturally focusing on the Android platform – where the problem was found.

Google does not check apps before putting them in Android Market and apps are included without any inspector checking them prior to publishing, that includes apps with viruses. The situation however is far from being hopeless, the Android platform still provides you with permission warnings when you are downloading and installing every application with or without malware.
When downloading an APK (which stands for Android Package – which is actually an app) you are presented with a set of permission warnings. These warnings tell you the kind of things that the application may do. Especially you should get a warning when it will use delicate system functions. Let’s look at some of the warnings that should trigger a red light for you.

Dangerous Permission alerts – Android only

BRICK – This means that the application you are about to install has the capability to disable your device. Very dangerous threats do not download any app with this threat unless you know what you are doing.

CALL_PHONE – Allows the apps to perform a phone call without using the regular dialer user interface. Again some applications are expected to do this and there is no problem in using well knows apps that may be doing this for example a result of a user clicking a number on the screen.

PROCESS_OUTGOING_CALLS – Allows the application to monitor modify or even abort outgoing calls. Again this may be the target of some applications. Look if you expect the app you are downloading to do this.

REBOOT – The app has the ability to reboot your device. Do not download games with this permission alert.

SEND_SMS – Allows the application to send SMS. This is the loophole that the virus mentioned used. Please note that this permission alert must have been presented to the user during the installation of the game. Do not download apps that are not supposed to be able to send SMS with this alert.

WRITE_SMS – Allows the application to write SMS messages. Games for example are not supposed to do this.

USE_SIP – Allows using Session Initiation Protocol for controlling communication sessions such as voice over IP and video transmission. Do not download applications that have no connection to this activity if they have this permission alert.

For a full list of all permission alerts for Android apps look here.

Can these viruses be stopped?

First thing to remember is that QR code in itself cannot be a virus; at worst it can just point to a URL suggesting you to download an app with a virus. Second thing is that viruses will be always relevant to specific platforms where security holes may be found. First steps for stopping such viruses can be performed immediately. For example the virus mentioned in last days has been removed from the Android Market by Google and therefore does not exist anymore. The QR codes containing the link will take you a page stating that the application has been removed from Market. I am also confident that Google will close this security hole so no other Apps will be capable of doing this specific trick in the future.

It is possible however for Android users to download applications outside the Market. Here is a link to a site that explains how to download such applications and as you can see you will get few warnings during the process on your screen. The danger was and still lurks in downloading apps. You can also download the Anti Virus from Kaspersky labs for Android device (or other antivirus software) for a few dollars and this may give you a more secure feeling.

The bottom line is that the real problem is in apps and in platforms that will allow apps to do bad things to us. This for sure will not kill the concept and usage of apps. Every security hole detected will make using apps in our phones safer. It surely has nothing to do with QR codes since they are neither apps nor executables, and simply scanning them is still a completely safe process.

5 thoughts on “Infected QR Codes Or Mashable Hype?”

  1. Downloads use MD5 hashes to make sure it is the real deal maybe some added security for QR codes is needed. Also scanning QR codes from a trusted source like we are doing will help mobile users stay away from viruses and spyware. What we have done is wrapped our QR codes in our brand to let the mobile user know when they see our brand the code will go to our site.

  2. Thanks for providing the article. I think an easy fix to this issue would be something similar to how online shopping scams were addressed. There must be some type of validation system or process that can be put in front of QR codes to protect the consumer market. Any one know of such a thing?

Leave a Reply

Your email address will not be published. Required fields are marked *