มัลแวร์ผ่าน QR Code: ภัยคุกคามและการรับมือ

Embed This Widget

Theme


      
    

Widget powered by . Free, no account required.

How QR codes can deliver malware: drive-by downloads, app store redirects, and scanner vulnerabilities. Defence strategies.

QR Code Malware: Threats and Mitigation

QR codes themselves cannot contain executable malware, but they can redirect users to malicious content. Understanding the threat vectors helps organisations and individuals defend against QR code-based attacks.

Threat Vectors

Drive-by downloads: QR codes linking to web pages that exploit browser vulnerabilities to download malware without user interaction. Modern browsers have significantly reduced this risk, but unpatched devices remain vulnerable.

Malicious app installation: QR codes linking to fake app stores or direct APK download links. Android is particularly vulnerable when "Install from unknown sources" is enabled.

Credential phishing: QR codes linking to convincing fake login pages that harvest usernames and passwords. The most common and effective QR-based attack. See QRishing.

Payment fraud: QR codes that initiate unauthorised payments or redirect payment flows to attacker-controlled accounts.

WiFi MITM: Malicious WiFi QR codes that connect the device to an attacker-controlled network for traffic interception.

Defence Layers

Device level: - Keep operating system and browser updated - Do not enable "Install from unknown sources" on Android - Use a mobile security solution that scans URLs

Scanning behaviour: - Preview URLs before opening (native camera shows this) - Verify the domain matches the expected destination - Never scan QR codes from untrusted sources for sensitive actions - Be suspicious of QR codes requesting app installations

Organisational: - URL filtering and web security gateways - Employee training on QR code security awareness - Security audit checklists for deployed QR codes - Incident response plans for QR-based attacks

Real-World Attack Examples

  • Parking meter QR code scams across US cities (2022-2023)
  • Fake restaurant menu QR codes leading to phishing pages
  • Crypto wallet QR code substitution attacks
  • Fake delivery notification QR codes in email

Key Takeaways

  • QR codes are vectors, not payloads — they redirect to threats, not contain them
  • Credential phishing is the most common and effective QR-based attack
  • URL preview before opening is the single most effective consumer defence
  • Keep devices updated to mitigate drive-by download vulnerabilities
  • Organisations should include QR codes in security awareness training