Research

Malicious QR codes pushing Android malware

According to Wikipedia QR code is a type of matrix barcode (or two-dimensional code) first designed for the automotive industry. QR codes are becoming more and more popular today and are used in banners, magazines, transport and badges in order to provide quick and easy access to particular information. A QR code has a pretty big capacity (compared to a simple barcode) and is able to store 7089 numeric characters or 4296 alphanumeric characters; and it is more than enough to store text or URL.

But about the malicious QR codes? Yes, you scan a QR code with the help of your smartphone and it redirects you to a URL with a malicious file (APK or JAR). Such QR codes exist and are gaining in popularity.

Today people who use smartphones often look for new software for their devices with the help of desktop PCs. If a user finds something interesting he or she must retype the application URL in the smartphone browser for downloading it. It’s not very convenient so that’s why such websites have QR codes which can be easily scanned.

It is known that today a lot of mobile malware (especially SMS Trojans) is spread via sinister websites where all software is malicious. And cybercriminals have started to use malicious QR codes for users’ ‘convenience’. Here is an example of such a website:

Part of the website with malicious QR code

It is interesting to mention that the blurred URL is working but there is no ‘jimm.apk’ file associated with this link. But if a user scans the QR code he will be redirected to another URL that does have a ‘jimm.apk’ file. This file is detected by us as Trojan-SMS.AndroidOS.Jifake.f:

The malware itself is a Trojanized Jimm application (mobile ICQ client) which sends several SMS messages to premium rate number 2476 (6 USD each). After the installation an icon named ‘JimmRussia’ will appear in the phone menu.

Trojan-SMS.AndroidOS.Jifake.f

At the same time other websites also contain malicious QR codes with the links to various J2ME SMS Trojans:

Another website with malicious QR code

Usage of QR codes for malware spreading was predictable. And as long as this technology is popular cybercriminals will use it. These two examples illustrate the very beginning of such usage and in the nearest future likely we will see more pieces of mobile malware which is spread via QR codes.

Malicious QR codes pushing Android malware

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox