QR codes, part of popular marketing strategies [1] created to engage mobile device users, have become a vector for malware that hackers could use to remotely access all of the data in a person’s phone and record their every move through pictures and audio, according to cybersecurity researchers. And there’s no way to know once a device is infected.

In an interview on Tuesday with Security Management, Nicholas Percoco, senior vice president and head of Trustwave SpiderLabs, a group of ethical hackers at a data security firm with expertise in investigations, research, and application security, said that most attacks that happen on mobile platforms occur when a user goes to malicious URL or they’re redirected to a Web site containing malicious code. Hackers are using QR codes as a tool to direct mobile phone users to those Web sites and infect mobile devices with malware.

QR codes use an image to hold information that can be scanned by specific readers the same way as a bar code. They’ve in the past been used for retail inventory, airline boarding passes and event tickets, and direct mailing, but the increased use of mobile devices has made them popular for marketing campaigns and shopping. QR codes placed on billboard and posters around cities allow users to get additional information about a product or company.

“It looks like a gray box with some squares knocked out here and there and you take a photo of that with your phone. It decodes it and sees that it’s a URL and takes you to that Web site,” he said.

Kaspersky Lab discovered the first instances of QR code tampering [2] in September. A Russian app called Jimm that contained a virus that sent text messages to a premium rate number, comparable to calling a 900-number in the U.S., was being downloaded through a QR code by smartphone users in Europe. Text messages to the service cost six dollars per message. By early October Kaspersky had detected QR codes linked to malware for Android and J2ME – the cybercriminals’ favorite mobile platforms, according to Kaspersky’s September malware report.

“If it is shown that this made the authors any kind of money, you can count on this happening again,” one malware expert told Silicon Angle [3].

Because a user has no way to verify where the code is directing them, a code can download malware without the user ever knowing.

“When users are affected with malware on a mobile device, there’s little visibility in the security world of what that looks like. Most security software is looking for malicious apps, but not something from a malware standpoint,” Percoco said.

QR codes are being used everywhere [4]– from billboards to produce stands to libraries to nature trails. So for hackers the codes become an easy vector to target mobile devices. Percoco says hackers could build a rouge QR code in a matter of minutes and deploy them as random stickers or overlays on existing QR codes. Many legit QR codes are displayed in public, with no explanation [1], to entice customers into decoding the image to see what’s next.

“There was a billboard that was 30 feet by 15 feet in downtown Chicago that was literally only a QR code,” Percoco said.

Trustwave Spiderlabs first realized the potential for QR codes as a delivery mechanism for malicious content earlier this year while researching iPhone vulnerabilities. Researchers found that they could successfully infect a smartphone with malware that could jailbreak the phone and give them access to any data contained on the phone including contacts, email addresses, and text messages.

On both Android phone and iPhones, they were able to use malware to gain access to the phones' cameras and microphones to record pictures and audio. Using malware downloaded from a site linked to a QR code, a hacker could access a person’s phone to see when their next meeting was, then record the audio from the meeting, for example.

The protection against QR code-based attacks, Percoco said, is not to “scan random QR codes you see while walking on the street.” The second is to use a QR app that doesn’t send a browser directly to a Web page. Some apps show a preview of the Web page or the URL that the code directs to.

“There aren’t a lot of mechanisms, from a mobile perspective, to look for malicious sites. So that being the case, the best solution is to avoid QR codes where you can or if you don’t trust the source,” he said.

photos by FunGi_ [5] and sillygwailo [6] from flickr

Thumbnail: