Never trust QR Codes – they just might betray you

The QR Code is the oldest child of our continuously growing connecting world. Now that most of us have possession of a smartphone, QR Codes have become more and more popular. If we as consumers are interested in a product, we want to know more about it, and a QR Code makes such things easy to realize.

But since almost everyone is able to create their own QR Code through sites like, cybercriminals are also using this ability. In my last article for example, I found out that criminals were using a QR Code to offer their victims a better, easier way to pay the ransom.

I will show how easy it is with a simple experiment … if you are brave enough. I won’t say anything about the content of this QR Code – you’ll need to try it yourself to find out what’s behind it! Let me just say this much: It’s really interesting. Trust me. 😉


Microsoft, a leader when it comes to operating systems, has also recognized the possibilities QR Codes offer and wants to release a new feature in their upcoming “Redstone” update. They want to equip their error screens (Better known as the blue screen of death) with QR Codes so the user will be able to get a better understanding of the error type:


I, as security expert, am sure that cybercriminals have already started to brainstorm about how “useful” this feature can be for their harmful operations. For example, remember the latest Petya ransomware where the cybercriminals were simulating a checkdisk after re-starting the system in order to encrypt the whole computer. With QR Codes, they will also be able to force such an error message during the installation process of malware and simulate such error messages afterwards. And, the user won’t realize that the message was faked by them. The cybercriminals will be copycats to the very end. And then comes the breaking point: You will never know what can happen if you use the QR Code at the end. Nothing? Spam? Funny cat pictures? Or, will it point to a malicious website where there is a Trojan just waiting for you to be downloaded onto your smartphone? You never know …

Therefore, be really careful about QR Codes in Redstone – or anywhere else! Especially if you took part in my experiment and scanned the QR Code because you trusted me blindly without even knowing me. I never said whether it was going to be a clean or malicious link, right? 😉 (Don’t worry though, it is clean) This is the kind of social engineering trick which the bad guys are using, too.

Avira has recognized this security leak many times before. In response, we’ve developed an app which checks URLs encoded in CR Codes with our Avira URL cloud. Try it out at our beta center:

This way, in an ever connecting world, you will always be protected!

This post is also available in: GermanFrenchItalian

Team Leader Virus Lab Disinfection Service