The next time you see a QR code in a public place, you might want to think twice before opening up Google Goggles. According to researchers at Kaspersky, a new Trojan has been found that uses the popular barcodes to steal Android users’ hard-earned cash via a text message scam. The problem is not widespread at the moment, but the precedent highlights a disturbing trend of exploitation towards Android users.

It works like this: a hacker leaves unassuming QR codes in well-traveled areas, knowing that with the rapid expansion of Android’s market share, someone’s bound to scan it in. The code is a URL linking to a malicious website that exploits a weakness in the Android browser to install a piece of Trojan software. Once the software activates, the user’s phone sends text messages to a premium line, charging the user’s phone bill $6 each time.

One of the disadvantages of the open nature of Android is that it’s, well, open. The source code can be examined by criminals and exploited fairly easily, and when a security hole is found they take advantage of it. The best way to protect yourself from malware is to only install apps from sources you trust – it seems that this policy now extends to scanning QR codes as well. With more and more vulnerabilities being found in Android’s core software, it’s more important than ever that users stay diligent and that carriers update their phones.

[via ZDNet]



  1. But if the QR code installs an apk, doesn’t it prompt you first?  And doesn’t your Android phone specifically have to be set to allow apk’s from Unknown Sources?   This is kind of a stretch, I know I’m not in the habit of install apk’s if I don’t know their source.

  2. Who in the world told you that open source code is any more easily exploited than closed source code or that is a disadvantage. If that were the case most internet sites would be getting hacked to death right now because Linux is open source. Just about every language used to build websites and applications is open source. OS X and iOS are built on the open source BSD project.  

    Its time for people to stop tossing open source about like they’ve had any dealings with it before learning about Android. If black hats can spot the offending code then millions of developers looking at the code would also see it and patch it early.

  3. Actually, since the source code is open, it can be fixed much faster than when the source code is closed. It proves true again and again in Linux world, where bugs are fixed much faster than in Windows world. Stop spreading FUDs against open source.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.