At the almost same time, we have two different QR code issues that affect Android and iOS devices respectively. But there is a difference. The one in the case of Android is a malware while it’s a bug for iOS.
Innocent Android QR code apps hide malware inside
The security firm SophosLabs discovered some Android malware apps living in the Play Store. These apps disguise themselves as QR code scanning and compass apps.
While this is not the first case of malware-infected apps finding a place on Google Play, the malware Andr/HiddnAd-AJ hidden in these apps was made to look like an Android programming library. Thus, they managed to bypass Google’s filtering system.
Also, these apps don’t reveal their true intentions until six hours after the installation. After that, they start flooding users’ devices with advertisements.
Google removed these QR code malware apps from the Play Store after they were downloaded more than 500,000 times.
QR code bug in iOS 11 Camera app
Now, for iOS, it’s not some malware hiding in plain sight on the App Store. A bug in the way the iOS 11 Camera app handles QR codes is pushing people towards malicious websites. The security researcher Romand Muller discovered the flaw.
The vulnerability allows a malicious link to be embedded in the QR code. After being scanned by an iPhone, for example, a QR code would display a link to visit Facebook.com via Safari browser. But in reality, it could redirect the user to some fishy website. Muller shared the demo of the bug in action on Twitter.
Apple iOS camera app doesn't properly parse URLs in QR codes. It shows a different host in the notification than it really opens. As of now still unfixed: https://t.co/EMQk7uBQ9i pic.twitter.com/KE6EwYhj7s
— Roman (@faker_) March 24, 2018
Here is an example code:
According to Muller, the Camera app thinks that “xxx\” is the username which is to be sent to “facebook.com:443.” On the other hand, Safari considers “xxx\@facebook.com” as username and “443” as a password to be sent to “infosec.rm-it.de.”
Because of this, a different hostname is displayed on the screen and the actual link visit is different.
Muller notified Apple about the vulnerability in December 2017, but it still remains unpatched after the release of iOS 11.2.6 update. The possibilities it opens are endless. For instance, it could be used to trick many uniformed iOS users into downloading malware or visiting a scam website.