QR Codes Found Sending Users to Site Containing Android Trojan

QR codes have been showing up everywhere in the last few months, from magazine ads to the sides of buses to, oddly, billboards. And now they’ve shown up on the list of ways that attackers are delivering malware to victims, with the emergence of a new Android-based Trojan that is hiding on malicious sites linked to by some QR codes.

 Android trojanQR codes have been showing up everywhere in the last few months, from magazine ads to the sides of buses to, oddly, billboards. And now they’ve shown up on the list of ways that attackers are delivering malware to victims, with the emergence of a new Android-based Trojan that is hiding on malicious sites linked to by some QR codes.

The new Trojan has been found on some malicious sites and is still active right now. When users scan the QR code with their mobile phones, the code redirects them to a site that will install a Trojan on their phones. Once installed, the Trojan will send a number of SMS messages to premium-rate numbers, which will end up costing the victim some money, depending on how quickly she is able to find and remove the Trojan.

QR, or quick response, codes are designed to give mobile phone users an easy way to get information about products or services by scanning the code with a special app. Depending on the app that’s used, it either will automatically redirect the user’s browser to the site contained in the code or will display the URL and ask the user if she wants to go to the site. Still, even if the app does display the URL, there’s no real way for the user to know whether the site is malicious.

The Trojan, discovered by researchers at Kaspersky Lab, is contained on a site that is linked to from some specific QR codes. The code also is accompanied by a text URL, however just typing in the URL doesn’t lead you to the malware. But scanning the QR code on an Android phone and visiting the site that way will deliver the malware, according to research by Denis Maslennikov.

“The malware itself is a Trojanized Jimm application (mobile ICQ client) which sends several SMS messages to premium rate number 2476 (6 USD each). After the installation an icon named ‘JimmRussia’ will appear in the phone menu,” he wrote.

He also found that there are other sites that are hosting some J2ME Trojans linked to by a QR code.

Recently, a security researcher demonstrated a similar proof-of-concept attack in which he created a QR tag that contained a pointer to a site he controlled that was running an instance of Metasploit. Augusto Peryra said the technique could be used to deliver malwre to unsuspecting users, which is now comin to fruition. The only challenge really is getting the QR codes with the malicious URL on them in front of users, but that can be done easily by printing custom stickers or other materials with the codes.

Suggested articles