QR Code Phishing Campaigns Deliver Malicious Links and Mobile Malware

What happened

Security researchers at Palo Alto Networks Unit 42 observed a surge in phishing and malware campaigns using QR codes as delivery mechanisms to redirect victims to malicious websites and apps. Attackers embed QR codes in emails, posters, and documents that redirect users through hidden link chains, trigger deep links inside apps such as Telegram, Signal, WhatsApp, and Line, or deliver direct APK downloads that bypass app store protections. Researchers tracked approximately 75,000 QR codes daily, with around 15% leading to malicious destinations, and identified over 59,000 malware detections tied to 1,457 APKs delivered through QR codes. These attacks exploit the fact that QR scans typically occur on mobile devices outside enterprise security controls, enabling credential phishing, account takeover, and malware installation. 

Who is affected

Mobile users and organizations whose employees scan malicious QR codes are affected, as attackers can redirect victims to phishing pages, install malicious apps, or gain unauthorized access to messaging and account services. 

Why CISOs should care

The use of QR codes as phishing and malware delivery channels allows attackers to bypass traditional email and web security controls, particularly when scans occur on unmanaged mobile devices outside enterprise monitoring. 

3 practical actions

• Treat QR codes as untrusted input. Scan and analyze QR codes before allowing user access to linked content. 
• Expand detection to QR-based threats. Monitor QR codes embedded in emails, documents, and web content for malicious redirects. 
• Restrict unauthorized app installations. Prevent direct APK downloads triggered through QR code scanning.