The next time you see a QR code in a public place, you might want to think twice before opening up Google Goggles. According to researchers at Kaspersky, a new Trojan has been found that uses the popular barcodes to steal Android users’ hard-earned cash via a text message scam. The problem is not widespread at the moment, but the precedent highlights a disturbing trend of exploitation towards Android users.

It works like this: a hacker leaves unassuming QR codes in well-traveled areas, knowing that with the rapid expansion of Android’s market share, someone’s bound to scan it in. The code is a URL linking to a malicious website that exploits a weakness in the Android browser to install a piece of Trojan software. Once the software activates, the user’s phone sends text messages to a premium line, charging the user’s phone bill $6 each time.

One of the disadvantages of the open nature of Android is that it’s, well, open. The source code can be examined by criminals and exploited fairly easily, and when a security hole is found they take advantage of it. The best way to protect yourself from malware is to only install apps from sources you trust – it seems that this policy now extends to scanning QR codes as well. With more and more vulnerabilities being found in Android’s core software, it’s more important than ever that users stay diligent and that carriers update their phones.

[via ZDNet]