More and more advertisement posters in public spaces are featuring QR codes to bridge the physical world with the digital one. This is posing a great threat to our mobile devices. I’ve always been skeptical about Blue Tooth or Wifi attacks on mobile device but this time QR codes are different.
Imagine that someone’s put a sticker with a fake sticker on the official QR code of the poster or that someone changes the QR code during the printing process.
This new QR code points to a website which enables the user to download an application. This application has the same name as the official one on the poster but needs you to untick the “install application from know source” setting. After all the application is free and is coming from a reputable company paying thousands of € to advertise in the streets. So the user goes on and installs the app.
The user gets the company splash screen then a message like “ not available as the moment” or “retrieving data, please wait.”. But the app is not retrieving any data on the network but pushing all your address book and personal data to thefts.
Few days later the user discovers its Social Network accounts have been hacked or worse some of its payment details have been stolen.
This is not a science fiction scenario and it can be easily implemented. So think twice before installing an application pushed through a QR code. Mobile security software vendors have golden days ahead.