Although QR codes are now commonly used to pay bills, open links, and log in, their speed also allows attackers to quickly lure victims from the real world into a dangerous website or app action. The QR image in recent campaigns is a delivery wrapper that can conceal a lengthy redirect chain rather than the threat in and of itself. In addition to this, it can appear in emails and posters and cause in-app deep links or quishing, which is a direct download that avoids app store checks.

Palo Alto Networks is the source of the QR code threat model. Researchers at Palo Alto Networks observed an increase in malicious QR activity and monitored campaigns that combined phishing and scams in recent months. They reported that their crawlers see approximately 75,000 QR codes daily, with 15% of those pages containing malicious links, for a daily total of over 11,000 detections.

An example of a malicious QR code shortener (Source: Palo Alto Networks) A single scan can travel outside the corporate perimeter, land on a convincing login page, and even vanish quickly when attackers use QR shorteners that can change destinations or go dead after a few days, as most scanning occurs on personal mobiles with less robust controls than managed desktops.

Deep links and takeovers within apps Unit 42 saw over 35,000 QR codes with Telegram deep links, such as tglogin, which comprised login links in 97% of Telegram cases and approximately one in five host pages appeared malicious. Deep links are unique URLs that open a specific screen within an application. An example of a QR code in-app deep link (Source: Palo Alto Networks) Some lures were specifically designed to target Ukrainian Signal users, while others attempted to connect new sessions to accounts on Line, WhatsApp, or Signal.

An illustration of a QR code intended to grant an attacker complete access to the device and Telegram account owner (Source: Palo Alto Networks) Additionally, Palo Alto Networks discovered that about 3% of QR codes contained in-app deep links. They cautioned that defenders might overlook the follow-on behavior because it can be imperceptible to standard web analysis, frequently necessitating a mobile sandbox with the target app installed and a case-by-case examination of unique URL schemes. An example of a contact poisoning attack (Source: Palo Alto Networks) Security teams should scan QR codes before users do in order to lower risk by treating them as untrusted input.

After researchers found 59,000 detections linked to 1,457 different APKs distributed via QR codes, they should restrict direct APK installs, block known abuse of QR shorteners, and extend monitoring to QR images in documents and web pages. In order to identify QR-based lures and stop malicious redirects, organizations should also improve their email and web filtering. The success rate of malware and phishing campaigns driven by QR codes can be further decreased by ongoing user awareness training.

Users should avoid urgent payment prompts, preview the entire URL before opening, and always confirm the source. Keep your operating system updated, turn off the installation settings for unknown apps, and never accept app logins or device links from random QR codes. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.