How “Innocent” QR Codes Are Giving Headaches To Both Android And iOS Users

Share on twitter
Tweet
Share on whatsapp
WhatsApp
Share on facebook
Share
Android iOS QR Code Bug Malware

At the almost same time, we have two different QR code issues that affect Android and iOS devices respectively. But there is a difference. The one in the case of Android is a malware while it’s a bug for iOS.

Innocent Android QR code apps hide malware inside

The security firm SophosLabs discovered some Android malware apps living in the Play Store. These apps disguise themselves as QR code scanning and compass apps.

While this is not the first case of malware-infected apps finding a place on Google Play, the malware Andr/HiddnAd-AJ hidden in these apps was made to look like an Android programming library. Thus, they managed to bypass Google’s filtering system.

Android QR Code Malware
Image: Sophos

Also, these apps don’t reveal their true intentions until six hours after the installation. After that, they start flooding users’ devices with advertisements.

Google removed these QR code malware apps from the Play Store after they were downloaded more than 500,000 times.

QR code bug in iOS 11 Camera app

Now, for iOS, it’s not some malware hiding in plain sight on the App Store. A bug in the way the iOS 11 Camera app handles QR codes is pushing people towards malicious websites. The security researcher Romand Muller discovered the flaw.

The vulnerability allows a malicious link to be embedded in the QR code. After being scanned by an iPhone, for example, a QR code would display a link to visit Facebook.com via Safari browser. But in reality, it could redirect the user to some fishy website. Muller shared the demo of the bug in action on Twitter.

In his blog post (via 9t05Mac), Muller said the problem is in the Camara app’s URL parser.

Here is an example code:

https://xxx\@facebook.com:[email protected]/

According to Muller, the Camera app thinks that “xxx\” is the username which is to be sent to “facebook.com:443.” On the other hand, Safari considers “xxx\@facebook.com” as username and “443” as a password to be sent to “infosec.rm-it.de.”

Because of this, a different hostname is displayed on the screen and the actual link visit is different.

iOS Camera QR Code notification
QR Code notification that appears on iPhone

Muller notified Apple about the vulnerability in December 2017, but it still remains unpatched after the release of iOS 11.2.6 update. The possibilities it opens are endless. For instance, it could be used to trick many uniformed iOS users into downloading malware or visiting a scam website.

Also Read: Facebook Caught Sucking Your Call Logs And SMS History For Years
Aditya Tiwari

Aditya Tiwari

Aditya likes to cover topics related to Microsoft, Windows 10, Apple Watch, and interesting gadgets. But when he is not working, you can find him binge-watching random videos on YouTube (after he has wasted an hour on Netflix trying to find a good show). Reach out at [email protected]
Scroll to Top