QR Codes Pose Major Malware Threat

By | Jul 10, 2012

Largely considered a clever marketing technique, QR codes may pose a greater danger than most believe. Formally titled "quick response," a QR code is a two-dimensional barcode that consists of black modules overlaying a white background. Once scanned by a smartphone, the embedded code will usually redirect you to a new web location. Although the technology has gained praise from mobile marketers looking for an inexpensive form of advertising, hackers are starting to use these codes to distribute malware. While not yet a widespread threat, IT admins should be aware of their immense potential to do harm.

The Devil Is In the Details

According to CNET, QR codes have become very popular because of their simplicity. They have seen widespread use in several industries, especially the competitive real estate field. Agents use the technology to market their most lucrative properties, placing the unobtrusive codes on their signs and brochures. With the codes popping up everywhere, the public considers them harmless.

The danger with a QR code is that the smart phone user must rely on the honesty of the provider. Most times, they simply assume that the code is legitimate and don't even think of the possibilitly of malicious software hiding behind the black-and-white pattern. However, unlike website addresses or downloadable applications, the codes all look the same to the average user. Damon Petraglia, director of information security services for Chartstone, said "The big problem is that the QR code to a human being is nothing more than 'that little square with a bunch of strange blocks in it.' There's no way to tell what is behind that QR code."

As explained in a report by Dark Reading, hackers looking to take advantage of smartphone users prey on their curiosity. People will see a random QR code that is not tied to anything, such as a sticker on a telephone pole, and scan the code to satisfy their curiosity. The code will then redirect users to a malicious website that effectively jailbreaks the phone. Once jailbroken, the hacker can deploy additional malware in the form of keyloggers and GPS trackers.

Staving Off the Threat

Midsize businesses should be very concerned about the QR code threat, especially with an abundance of personal devices that are also used for work. Although the BYOD trend has enabled workers to be more productive, it also helps hackers gain access to sensitive information. To combat these threats, IT managers should enforce stricter rules on smart phones and tablets in the workplace. The most direct approach would be to ban personal devices altogether, with businesses issuing their own smart phones and data plans to employees.

IT departments should also limit the amount of Android devices entering the office. Since Androids allow third-party applications to run on the software, they are most susceptible to QR code attacks. "On the Android, the chances of getting infected are much higher since applications are allowed to do actions such as sending SMS, blocking SMS, making calls, etc," said Tomer Teller, a security evangelist at Check Point Software Technologies. "All a user needs to do is scan a barcode, and it will redirect to a website that will download the Android Application."

Furthermore, businesses should also look into the installation of anti-virus software on mobile devices. With mobile devices quickly developing greater functionality, there is a huge need for better security measures. For example, new phones are being fitted with NFC capabilities, allowing them to act as both a mobile bank and as a new payment method. An infected QR code could potentially gain access to the user's, or company's, bank accounts.

The goal of IT is to make their employees aware of such dangers. By warning personnel about infected QR codes, employees will be more cautious when downloading online content or scanning unknown codes.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.

IBM Solution CSP

A partnership with IBM will provide the solid, proven business benefits - from marketing to sales to technical support - that you can rely on to grow with confidence.

Learn More »