Just as the use of QR codes slowly creeps toward mainstream adoption in the United States, someone has found a way to exploit them. But how serious is the threat?
Some owners of Android-powered smartphones in Russia were surprised recently when they tried to download an ICQ chat app by scanning a 2D barcode. What they got instead was an unusually large phone bill after their phone sent a series of SMS messages to a premium texting service, which charges a few dollars per text.
The incident was reported by Kaspersky Lab, an antivirus software firm, who first noted the use of malware to hijack QR codes and install trojans on Android devices last month.
A Real Threat to Smartphone Security?
It's kind of surprising that this problem didn't arise earlier. Since QR codes can point to and open any URL, it wouldn't be at all difficult to set one up that points to a page that loads some kind of malware and even installs something nefarious on the phone.
At the same time, the incentive for hackers to do this probably hasn't existed until recently. QR codes are still far from being mainstream technology, but they are being recognized and used by more consumers, as smartphone adoption continues to grow.
This type of exploit is probably easier to execute on handsets powered by Android, whose "open" nature (we know, it's debatable) has the downside of allowing more security holes than its chief competitor, iOS. iPhone users sometimes have trouble opening seemingly common file types, let alone an unauthorized, executable file that could do real damage.
The rise of this type of security threat is pretty much to be expected as any technology grows in popularity. Look at social networks. Yesterday, as news of the death of Libyan dictator Muammar Gaddafi spread throughout Twitter and Facebook, so too did malware disguised as photos or videos of the ousted leader's final moments.
Just as with social media and email, the first line of defense in smartphone security lies with the user, who needs to be discerning and cautious, whether they're clicking links or snapping photos of a barcode.