Those black-and-white squares you see in ads may look harmless, but lurking behind the quick-response code is the very real possibility of a malicious attack.
More than 30% of QR code readers in the Google Play app store are malicious code, according to David Maman, chief technology officer of the database security company GreenSQL.
"Malicious code providers have started realizing that a lot of people will try downloading QR reader applications," Maman says.
Google tries to police its application marketplace, but it's hard to keep up, Maman says.
Equally troublesome, Maman says, is that hackers have accessed the advertising programs used to generate the QR codes themselves, to redirect the Internet addresses they generate to malicious sites.
Often companies such as banks do not generate their own QR code; they use a marketing or advertising agency that lets them generate the codes through their system. Even if the original link was legitimate, the ownership of the original link is manipulated and forwarded to a site with malware that attacks Android devices, Maman says.
Another threat is fraudulent ads containing malicious QR codes.
Maman recently conducted an experiment during a three-day security conference in London. He created a small poster featuring a security company's logo and the sentence, "Just Scan to Win an iPad."
Thousands of people walked by, no one asked where the sign came from, and no one took it down, not even a representative of the company featured on the sign.
Over the three days, 455 people scanned the sign and browsed the link: 142 iPhone users, 211 Android users, 61 BlackBerry, and 41 unknown browsers.
Maman's QR code simply linked to a Web page featuring a smiley face. "If I had decided to include a malware or poisoned URL attack based on multiple mobile smart phone browsers, I wonder whose phone I would have penetrated," he says.
"QR codes are becoming more and more prevalent, and most of us don't have the same antivirus filtering technology on our phones or tablets that we have on our PCs," Maman says. "Can we really fully trust the QR codes we see on the streets, in restaurants or in ads? Regretfully, the answer is no."
What should a bank that uses QR codes do to protect itself? "Make sure the link inside the QR code will be under the bank's own domain" — such as bankofamerica.com — "and that people can see this is a legitimate link," he says. "Then it will be much harder for anybody to try to manipulate it or try to hack in."
Such a defense would of course require the end user, the bank customer, to be aware of the URL showing up on his mobile device, which is not a given.
"Eighty percent of people who get a link from an unknown sender will never stop and think about it," Maman says.
Any other advice?
"Stop using smart phones. … I'm kidding," Maman says with Borscht Belt timing. "It will only get worse, and eventually 90% of the prevention is very simple thinking. Most likely today nine out of 10 QR codes are safe, but mobile devices are becoming more and more the way to surf the Web — Facebook has declared 50% of its users come in through smartphones. I think within a year it will be 75%, even more. I think next year each and every security vendor is going to have a security solution for mobile devices."
The most important takeaway: "Think before you click anything."