Why QR Codes Are Becoming the New Phishing Playground
QR codes have moved from restaurant menus to everyday transactions, and that convenience is a gold mine for cyber‑criminals. Unit 42’s latest telemetry shows an average of over 11,000 malicious QR code detections every day. Attackers are now using three main tricks: shortened URLs, in‑app deep links, and direct app downloads to slip past personal device defenses and corporate firewalls.
Shortened QR Codes: The Invisible Redirect
QR‑code shorteners combine a URL shortener with a QR generator, creating a tiny image that can point to any destination – even one that changes after the code is printed. This dynamic nature lets attackers hide malicious sites behind a reputable domain.
- Traffic surge: QR‑code shortener traffic grew 55 % from H1 2023 to H1 2024 and another 44 % from H1 2024 to H1 2025.
- Top abused services:
qrco.de,me-qr.comandqrs.lyaccount for the majority of malicious shorteners. - Industry impact: Financial services observe 29 % of compromised shorteners, even though they represent only 4.8 % of total shortener traffic.
One real‑world example showed a QR code on a fake school page that first redirected to a CAPTCHA, then landed on a phishing Outlook login hosted at cdnimg.jeayacrai.in.net. After a few days the link stopped working, illustrating the fleeting nature of shortener‑based attacks.
In‑App Deep Links: From a Scan to Full Account Takeover
Deep links let a QR code launch a specific screen inside a mobile app. Although convenient for legitimate payments or navigation, they also enable attackers to hijack accounts with a single scan.
- Financial fraud: QR codes that encode
bitcoin:,upi://payormetamask://connectlinks can trigger pre‑filled payment requests. - Messenger takeover: Over 35,000 QR codes contain Telegram deep links such as
tg://login?token=…. One‑in‑five host pages with these links are malicious, giving attackers full access to the victim’s Telegram account. - Signal targeting: State‑aligned actors have used Signal’s “link device” QR flow to steal Ukrainian users’ messages, as documented by the Google Threat Intelligence Group.
- Other apps: Line, WhatsApp, and calendar utilities have also been abused to add malicious contacts, embed rogue Wi‑Fi credentials, or insert phishing URLs into calendar events.
Figure‑style attacks include a QR code that, when scanned, adds a malicious URL to a saved contact (vCard) or auto‑joins a rogue Wi‑Fi network, all without the user realizing the danger.
Direct APK Downloads: Bypassing App Store Safeguards
QR codes can point straight to an Android Package (APK) file, sidestepping Google Play’s review process. Unit 42 identified 59,000 host pages distributing 1,457 distinct APKs via QR codes.
- Gambling apps: QR codes link to
yicai.apk,NagaPocker.apkandapp-u7cp-release.apk, requesting permissions such as external‑storage write, camera and fine location. - Phone‑optimization tools: The
ludashi_home.apkapp requests audio recording, battery status, camera access and package‑install permissions. - Education social networks: The
k12sns.apkapp requests internet, log reading and lock‑waking permissions.
These apps often demand “install packages” rights, a red flag for credential theft and further malware delivery.
Emerging Trends to Watch
- Dynamic QR‑code ecosystems: Shorteners that allow post‑deployment URL changes make detection harder for static scanners.
- Cross‑app deep linking: As more apps expose custom URL schemes, attackers will craft multi‑step chains that move from a payment app to a messenger, then to a data‑exfiltration endpoint.
- Targeted messenger attacks: State‑linked groups are focusing on Signal and Telegram, especially in conflict zones, to harvest sensitive communications.
- Malicious APK marketplaces: QR‑driven distribution of APKs is likely to expand beyond gambling to fake “productivity” tools that request extensive device permissions.
Did You Know?
Scanning a QR code on a corporate‑issued device can bypass the organization’s web filter because the scan triggers a direct app action, not a web request.
Pro Tip: Safeguard Your Scans
Before scanning, hover over the QR code with a smartphone camera that offers a preview of the URL or deep link. If the preview shows a shortener (e.g., qrco.de) or an unfamiliar app scheme (e.g., tg://), abort the scan and verify the source.
Frequently Asked Questions
- What is “quishing”?
- Quishing is phishing that uses QR codes to direct victims to malicious sites or deep links.
- Can security tools detect malicious QR codes?
- Advanced URL filtering and mobile sandboxes can analyze QR‑code landing pages, deep links and embedded APKs, but many traditional web crawlers miss them.
- Are QR‑code shorteners always unsafe?
- No. Legitimate services exist, but attackers exploit the same platforms. Look for unexpected shorteners or domains you don’t recognize.
- How do I protect my organization?
- Implement mobile threat defense, enforce app‑store‑only installations, and educate users about the risks of scanning unknown QR codes.
Take Action
Have you encountered a suspicious QR code at work or home? Share your story in the comments below, and subscribe to our newsletter for the latest threat intel and practical defenses.
For deeper technical details, read the full Unit 42 QR‑code phishing report and explore related articles on mobile threats and deep‑link security.
