With the rise of cashless payments and digital transactions, QR codes are becoming more popular today. They look like a collage of small and big squares but each QR code is actually unique and can do much stuff depending on what it is intended to. QR codes can be used to share files, share information, and establish links to designated internet content. In fact, the application of QR codes is quite overwhelming. In fact, QR codes were used in data gathering and contact tracing in the fight against COVID-19.

What are QR Codes?

QR codes or Quick Response codes were first developed in Japan back in 1994. The principle behind is similar to bar codes but QR codes can store more information. Bar codes can only be read horizontally making it a one-dimensional data code that can only contain 20-25 characters while QR codes are two-dimensional which can be read both horizontal and vertical, making it able to store more complex information than barcodes.

How do they work?

Like bar codes, QR codes need to be scanned to read the data they store. Modern smartphones usually come in with a built-in app to read QR codes using the phone’s camera. You can also download a QR scanner from the app store. Once scanned, your phone should be able to crack the code and show its content.

Despite the many applications of QR codes, what they actually do is only establish links. What varies is to what and where the link leads to. Bottom line is, the internet is crucial to how QR codes work – it always leads to specific internet content.

Can QR codes be used to spread malware?

The answer to this question is both yes and no. No, because the size of the file it can carry is too small to contain executable programs like viruses. So, scanning a QR code is relatively safe. This is also one good reason why QR codes are being used even by financial institutions.

The other answer is yes. Even though it cannot store a virus, a QR code can be used to establish a connection to malicious websites where the virus could come from. Since it’s impossible to see which link it leads us to with our naked eye, hackers can use QR codes as a trap to blindly lure us into visiting phishing and malicious sites.

What can we do then?

Thankfully, our phone’s security features are diligent enough to prompt or show us where a QR code is leading us before actually establishing a connection. That’s why it is important to check the linked address before allowing internet access. Most of the legitimate websites can be easily identified within the link. However, sometimes, links embedded within QR codes can be impossible to discern to where it leads, and letting it connect to the internet is the only way to find out. This is where the danger could come.

So, to protect our devices, there are a few things we can do.

  1. Update your phone’s antivirus. Mobile devices usually have built-in antivirus, but you can choose to install one. Leading antivirus software has a mobile version that you can download. Take note that antivirus developers are aware that QR codes can be used to spread malware and they are working round the clock in creating countermeasures. That’s why it is important to update them and scan your device regularly.
  2. Only scan codes from legitimate sources. Restaurants who use QR codes for ordering usually have the code on their table. Avoid scanning codes that came from other sources even though they seem to be legit. You can always visit the company’s official website for its legit QR code.
  3. Take advantage of the permission management feature on your phone. Managing app permission is a very easy thing to do on mobile devices. You can set your browser app to ‘always ask first’ whenever it tries to do something. That way, the app would ask for your permission if it is downloading something or accessing your camera or storage. If a code routes you to a malicious website that auto-downloads a virus, your browser will let you know that it is trying to do something.
  4. Manage autoplay on USB settings on your computer. Autoplay is a feature that decides what your computer will do whenever a USB, memory card, or phone is plugged in. By managing these settings, your computer won’t run anything coming from removable drives without letting you know. This is because operating systems on PC and a phone work differently, so malware is also configured differently. Malware can be undetected or not harmful on a phone but can be potent to a PC. QR codes can be used to make you download malware on your phone waiting for you to plug it in a PC to wreak some havoc.

QR codes are not intended for harm but cybercriminals will use them to do their thing. Due diligence and care are necessary to protect ourselves.