Be careful the next time you scan a QR code, because it might just cost you money and wreak havoc on your smartphone.
That’s the warning from Kaspersky Lab, which has noticed the first instance of QR code tampering. The incident took place in Russia last month and hoodwinked consumers who thought they were downloading an Android app called Jimm. The code actually contained malware that sent SMS codes to a premium rate number that charged for each message.
Tim Armstrong, a malware researcher at Kaspersky, says premium rate numbers operate similar to 900 numbers in the U.S. The four- to five-digit numbers charge for each incoming text, wringing cash out of unsuspecting users. Armstrong says that it’s much more difficult to set up such numbers in the U.S., but cyberthieves will soon be able to create global premium rate numbers that could theoretically attack American consumers the same way. Infected QR codes could also be used for phishing scams, Armstrong says.
Robert Siciliano, an online security analyst at McAfee, says that infected QR codes are new on the scene. “It’s just hitting the radar in the security community,” he says, adding that it’s a “pretty brilliant scheme.”
Both Armstrong and Siciliano say that consumers shouldn’t be over-cautious about QR codes at this point. Armstrong notes that there’s a interim step between scanning the code and launching an app in which consumers can determine if they’ve been scammed. “If it’s a game and it’s requesting SMS, then you know something’s wrong,” he says. Siciliano, meanwhile, says a good rule is only to click on QR codes by a known vendor or advertiser.
QR codes are more popular in Asia and Europe than in the U.S., but many advertisers, including Taco Bell and Calvin Klein, among others, have employed them. They’ve also showed up on rooftops and on a tombstone.