Malware in a barcode

Quick Response codes, also known as QR codes, are two dimensional barcodes originally invented by the automotive industry to keep track of parts during manufacturing. However, these barcodes can hold any type of information and were quickly adapted to all types of different industries. Most smartphones now have applications that can quickly read and process QR codes. You simply point your camera at the barcode and take a picture.

The QR code generated above contains a link to this domain. While QR codes themselves do not contain malware, imagine a barcode that takes you to a malicious website. One that uses an exploit in your smartphone to install unauthorized applications. The possibilities are endless and as this technology becomes more popular, there becomes greater motivation to find ways to exploit it. John Vezina put it best when he said, “I could, if I wished, print out dozens of QR codes and peel and stick them to bus stops, power line poles, or anywhere the things can stick to.”

By Marcin Kleczynski

CEO of Malwarebytes, click About Me at the top of the page to learn more!

7 replies on “Malware in a barcode”

Just as a follow up — QR codes definitely have their uses. Users can encode URL’s, phone numbers, locations, e-mail addresses, and much more. Unfortunately with this great versatility comes risk.

I remember IBM asset tags at a certain client location having barcodes on them so that, when taking inventory, you just had to scan in the barcodes to a laptop and it would insert the number in a spreadsheet for you. Very useful, and unfortunately also dangerous if they lead you to an infection. As with anything else, make sure any barcodes or QR codes that you scan into a computer or phone are from a trusted source and if possible make sure that they have not been tampered with.

Many readers allow you to view content of the qr prior to popping off to the embedded url. Winston Churchill’s quote sort of applies here, “the cost of greatness is responsibility.” In this instance, you must ante up some responsible browsing behavior to enjoy the greatness of a qr code infested world.

i dont know what everyone is on about, the article doesnt say anything about QR codes having ACTUALLY been exploited. sure there is motivation to put malware into QR codes, there is motivation to put malware into everything, the question isnt “would people like to” its “can it be done” QR codes have a very small window of text (about 4k at it highest with very little redundancy) 2k of binary and while you could make a program that reads them with nearly no checking or proper memory allocation that could be weak to exploit, it would also be a poor parser and not likely to be very widespread in its use.
the uses of QR codes are very limited, the parsing very well defined, malware seems very unlikely.
until new things are added to QR, from time to time new protocols are built on top of QR (like the market: tag for things on the android market) that is about the only place malware could get in, a poor protocol specification.

I agree that it’s a bogus link that is most likely to be used. Especially if you use a link that is similar to a good link.
Imagine putting a link to a fake antivirus site on antivirus software boxes in a store; or worse, a QR label to a bogus bank site stuck on some of that bank’s ATMs!

Leave a Reply