QR Codeマルウェア: 脅威と対策
How QR codes can deliver malware: drive-by downloads, app store redirects, and scanner vulnerabilities. Defence strategies.
QR Code Malware: Threats and Mitigation
QR codes themselves cannot contain executable malware, but they can redirect users to malicious content. Understanding the threat vectors helps organisations and individuals defend against QR code-based attacks.
Threat Vectors
Drive-by downloads: QR codes linking to web pages that exploit browser vulnerabilities to download malware without user interaction. Modern browsers have significantly reduced this risk, but unpatched devices remain vulnerable.
Malicious app installation: QR codes linking to fake app stores or direct APK download links. Android is particularly vulnerable when "Install from unknown sources" is enabled.
Credential phishing: QR codes linking to convincing fake login pages that harvest usernames and passwords. The most common and effective QR-based attack. See QRishing.
Payment fraud: QR codes that initiate unauthorised payments or redirect payment flows to attacker-controlled accounts.
WiFi MITM: Malicious WiFi QR codes that connect the device to an attacker-controlled network for traffic interception.
Defence Layers
Device level: - Keep operating system and browser updated - Do not enable "Install from unknown sources" on Android - Use a mobile security solution that scans URLs
Scanning behaviour: - Preview URLs before opening (native camera shows this) - Verify the domain matches the expected destination - Never scan QR codes from untrusted sources for sensitive actions - Be suspicious of QR codes requesting app installations
Organisational: - URL filtering and web security gateways - Employee training on QR code security awareness - Security audit checklists for deployed QR codes - Incident response plans for QR-based attacks
Real-World Attack Examples
- Parking meter QR code scams across US cities (2022-2023)
- Fake restaurant menu QR codes leading to phishing pages
- Crypto wallet QR code substitution attacks
- Fake delivery notification QR codes in email
Key Takeaways
- QR codes are vectors, not payloads — they redirect to threats, not contain them
- Credential phishing is the most common and effective QR-based attack
- URL preview before opening is the single most effective consumer defence
- Keep devices updated to mitigate drive-by download vulnerabilities
- Organisations should include QR codes in security awareness training