Read the full story
Since Covid-19 emerged over one year ago, QR codes have become a ubiquitous feature in our lives. Millions of people are now accustomed to scanning the codes every time they enter a café, shop or workplace environment.
However, what many do not realise, is that QR codes can be used to deliver malware to unsuspecting individuals. A malicious QR code can direct a user to a fake website, capture personal data or install malicious software on the smartphone.
The risks are reduced when the QR code needs to be scanned by a Government-issued application, such as the one released by Service NSW. However, not all venues across Australia are using QR codes that are integrated with a Government-issued application.
Recently, a popular Android application called Barcode Scanner was removed from Google Play after it was discovered to have installed ad-pushing malware onto millions of users’ phones. Users began noticing that they were being redirected to random advertisements. Following investigations, it was discovered that obfuscated malicious code had been hidden in an update.
This case highlights the potential risks associated with QR codes and the applications that read them. Common attack vectors may include:
- Adding new contacts to the phone as a prelude to launching spear phishing attacks.
- Initiating phone calls to the attacker, thereby exposing the victim’s phone number.
- Launching smishing attacks by sending malicious text messages to the user’s contacts.
- Accessing the user’s work emails which may result in Business Email Compromise attacks.
- A malicious QR code could allow hackers to automatically send mobile payments and capture the user’s personal financial data.
- Secretly track the user’s geolocation as reconnaissance for a Business Email Compromise attack.
- Follow the user’s social-media accounts, exposing their personal information and contacts.
- Connect the device to a compromised Wi-Fi network, exposing it to ongoing breaches.
Organisations need to be aware of the risks associated with their teams scanning QR codes. This is particularly the case as many employees now use their own devices for work. These devices may run work-related applications that may be vulnerable.
Mobile device security needs to be a priority for all organisations to protect against phishing attacks, device takeovers, man-in-the-middle exploits and malicious application downloads. Make sure you roll-out security measures on every mobile device that accesses business applications and data, including smartphones, laptops and tablets.
Contact us for further assistance securing the mobile devices in use in your environment.