How to Protect Yourself From Malicious QR Codes

Before you scan another QR code with your smartphone, read this:

Woman with smartphone reading QR code from window display
Vstock LLC/Getty Images

Those little black and white boxes are everywhere. Product packaging, movie posters, magazines, websites, business cards, you name it, and you'll probably find a Quick Response or QR code on it. QR codes are the latest marketing fad, and they appear to be here to stay, at least until something better comes along to replace them.

A QR code is basically a high-tech multidimensional bar code that you can point your smartphone's camera at and, with the appropriate QR code reader application loaded, scan and decode the message contained within the QR code box.

In many cases, the decoded message in the QR code is a web link. QR codes are intended to save users the hassle of writing down a web address or other information while they're out and about. A quick scan with your phone and a QR reader app is all you need, no fumbling with writing a website or phone number on a napkin or something.

Some advertisers and marketers will randomly place QR codes on billboards, the sides of buildings, on floor tiles, or anywhere else they can think of to make someone curious enough to scan the QR code to find out if it's a web link, coupon, or a code for free products or some other goodie. Many people will readily scan any code they find in hopes that it's a associated with a prize of some sort.

Most scanning apps will recognize the fact that the decoded message is a link and will automatically launch your smartphone's web browser and open up the link. This saves you the hassle of having to type the web address into your phone's tiny keyboard.

This is also the point where the bad guys enter the picture.

Criminals have discovered that they can also use QR codes to infect your smartphone with malware, trick you into visiting a phishing site, or steal information directly from your mobile device.

All a criminal has to do is encode their malicious payload or web address into QR code format using free encoding tools found on the internet, print out the QR code on some adhesive paper and affix their malicious QR code over top of a legitimate one (or e-mail it to you).

Since the QR encoding is not human readable, the victim who scans the malicious QR code won't know their scanning a malicious link until it's too late.

What can you do to protect yourself from Malicious QR codes?

1. Only use a QR code reader app that has built-in security features

There are many QR code readers out there. Some are more secure than others. Several vendors are aware of the possibility of malicious QR codes and have taken measures to prevent users from being duped by harmful codes.

Norton Snap is a QR code reader available for both iPhone and Android. After a code is scanned by Norton Snap, it's content is shown to the user before the link is visited so that the user can decide to visit the link or not. Norton also takes the QR code and checks it against a database of malicious links to let the user know if it is a known-bad site or not.

2. Enable the QR code review prior to link opening feature in your QR Code reading application

Before installing a QR code reader app on your smartphone, check to see what security features it offers. Check to make sure that it will allow inspection of the decoded text prior to opening up the code in a browser or other targeted application.

If it doesn't allow this capability, dump it and find one that does.

3. Inspect the QR code to make sure it's not a sticker

While many QR codes are found on websites, the majority of the codes that you will probably encounter will be in the real world. You might see a code on a store display or even on the side of a coffee cup, Before you scan any code you find, feel it (if possible) to make sure that it is not a sticker that has been placed over the real code. If you find a malicious QR code, report it to the owner of the business where you found it.