QR Codes Found Sending Users to Site Containing Android Trojan

QR codes have been showing up everywhere in the last few months, from magazine ads to the sides of buses to, oddly, billboards. And now they’ve shown up on the list of ways that attackers are delivering malware to victims, with the emergence of a new Android-based Trojan that is hiding on malicious sites linked to by some QR codes.

 Android trojanQR codes have been showing up everywhere in the last few months, from magazine ads to the sides of buses to, oddly, billboards. And now they’ve shown up on the list of ways that attackers are delivering malware to victims, with the emergence of a new Android-based Trojan that is hiding on malicious sites linked to by some QR codes.

The new Trojan has been found on some malicious sites and is still active right now. When users scan the QR code with their mobile phones, the code redirects them to a site that will install a Trojan on their phones. Once installed, the Trojan will send a number of SMS messages to premium-rate numbers, which will end up costing the victim some money, depending on how quickly she is able to find and remove the Trojan.

QR, or quick response, codes are designed to give mobile phone users an easy way to get information about products or services by scanning the code with a special app. Depending on the app that’s used, it either will automatically redirect the user’s browser to the site contained in the code or will display the URL and ask the user if she wants to go to the site. Still, even if the app does display the URL, there’s no real way for the user to know whether the site is malicious.

The Trojan, discovered by researchers at Kaspersky Lab, is contained on a site that is linked to from some specific QR codes. The code also is accompanied by a text URL, however just typing in the URL doesn’t lead you to the malware. But scanning the QR code on an Android phone and visiting the site that way will deliver the malware, according to research by Denis Maslennikov.

“The malware itself is a Trojanized Jimm application (mobile ICQ client) which sends several SMS messages to premium rate number 2476 (6 USD each). After the installation an icon named ‘JimmRussia’ will appear in the phone menu,” he wrote.

He also found that there are other sites that are hosting some J2ME Trojans linked to by a QR code.

Recently, a security researcher demonstrated a similar proof-of-concept attack in which he created a QR tag that contained a pointer to a site he controlled that was running an instance of Metasploit. Augusto Peryra said the technique could be used to deliver malwre to unsuspecting users, which is now comin to fruition. The only challenge really is getting the QR codes with the malicious URL on them in front of users, but that can be done easily by printing custom stickers or other materials with the codes.

Suggested articles

Discussion

  • Anonymous on

    So, the message is that there is no threat. Dumb, real dumb alarmist article.

  • Anonymous on

    Seems to me whatever is mentioned here applies to "buttons" as well (facebook, google, paypal, ebay, or any shopping cart buttons). The scenario painted is targeting users who actually would install an APK or JAR from an unknown source. 

    It seems weird that that anyone would do that, but I thought the lesson learnt should be to highlight and educate users NOT to click "install" when they see this kind of files being downloaded, for ANY type of actions that resulted in such a warning. Irregardless of whether it is from a QR code or not.

  • Anonymous on

    What is described here is also applicable to buttons (fake google, apple, paypal, or any shopping cart buttons) or links right?

    I think the lesson learnt from the scenario painted should be that users should not installed APK/JAR from unknown sources. For ANY type of phone (JAR used to be a common security threat back in the the Win CE days as well).

    This article probably paint a wrong message to non-techies, that JAR/APK downloaded via other means (other than QR) is safe.

  • Jim Moore on

    No, there is a threat. Yes, you can put a malicious link behind a Facebook, or Paypal button. And some dumb bunnies still push it, instead of doing a mouse over, and finding out if Paypal, taking me to hxxp://paypal.victim.com/exploitme.php that maybe I should be cautious. There is some user awareness out there. It is also the same problem with tinURLs, except there too, we have Firefox plug-ins that expand them, and some of the population use, because they have become aware of the threat. What this article seems to be saying is that QR codes have no basis for judging them. The second thing is that the QR codes for something popular place a high reward for hackers of websites. A website with a QR code for a discount on the latest Kindle or something could be something that draws hackers to the website to try to plant malware, since someone credible has already done the difficult job of advertising.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.