Executive Summary

QR codes have become a staple of everyday interactions, from contactless payments to event check‑ins. However, their ubiquity also makes them an attractive vector for cybercriminals. Unit 42’s latest threat report, “Phishing on the Edge of the Web and Mobile Using QR Codes,” documents a surge in three primary attack techniques: QR codes that use URL shorteners to hide malicious destinations, in‑app deep links that facilitate account takeover or illicit transactions, and direct downloads of malicious APKs that bypass app‑store security. The report highlights that over 11,000 unique malicious QR code detections are logged daily, with attackers targeting financial services, high‑tech, and retail sectors disproportionately.

QR Code Short‑Link Tactics

Attackers generate QR codes that redirect to popular short‑link services such as qrco.de, me‑qr.com, and qrs.ly. The short link initially presents a benign landing page—often a CAPTCHA or a seemingly legitimate website—before redirecting to a phishing site that mimics trusted login portals (e.g., Outlook, banking). This two‑step approach allows attackers to change the final destination after distribution, making detection and blocking difficult. Data shows that 15% of QR code pages contain malicious short links, translating to more than 11,000 daily detections.

In‑App Deep Links: The New Phishing Frontier

Modern mobile apps support deep links that open specific screens or trigger actions within the app. Attackers leverage this capability to create QR codes that, when scanned, prompt the victim to authenticate into a messaging service, authorize a payment, or add a device to a contact list. The report identifies over 35,000 Telegram deep‑link QR codes, 44.7% of which target login flows. Similar tactics are employed against Line, Signal, and WhatsApp. The result is a rapid account takeover, enabling attackers to exfiltrate message history, impersonate the victim, or funnel funds.

Financial deep links are equally concerning. QR codes embedded in phishing campaigns direct victims to cryptocurrency wallets (Bitcoin, Ethereum, Metamask) or mobile payment apps (WeChat Pay, Alipay). Attackers craft convincing offers—such as “quick investment returns” or “hackers‑for‑hire services”—and embed a deep link that initiates a payment to an attacker‑controlled address. The trust users place in QR codes for legitimate transactions makes these attacks highly effective.

Direct APK Downloads and App Store Bypass

QR codes are also used to distribute malicious APK files directly, circumventing the stringent review processes of official app stores. Unit 42 identified 59,000 host pages delivering 1,457 distinct APKs via QR codes. Many of these are gambling or casino apps that request excessive permissions—camera, location, external storage—and embed hidden advertising or data‑exfiltration mechanisms. Other malicious APKs include phone‑optimization tools that can install additional packages and access sensitive device information, and educational social‑network apps that collect logs and user data.

Indicators of Compromise

Attackers employ a range of URLs and domains. Sample indicators include:

• Short‑link QR codes: https://qrco.de/bgP6vx, https://cdnimg.jeayacrai.in.net/qY42h5ei3SBo9Zmv
• Phishing payment links: bitcoin:12wXzmwak8LJ88e1ejupY3brfQi43xdDhb, upi://pay?pa=Q573631163@ybl
• Telegram takeover links: tg://login?token=AQJgx85oZgPcBRoIg76p-8BBy4nB4Wpel-PvZ8Og7t_--A
• Signal takeover: https://signal-qr.org/chatZGtqZmpic2l1NDkzdWpka25zamRucDJ1MDllamtmOThyNGltdmZkZw==
• Line: https://link.members-ms.jp/view/clickCount?cst_id=000000000003690

Mitigation Recommendations

Security teams should adopt a layered approach:

1. Deploy Advanced URL Filtering: Block known short‑link services and inspect final destinations of QR‑generated URLs.
2. Enable Prisma Browser with Advanced Web Protection: Detect and block malicious QR code hosts and deep‑link exploitation.
3. Implement Mobile Device Management (MDM) Controls: Restrict installation of apps from unknown sources and monitor for unauthorized deep‑link activity.
4. Educate Users: Promote a security culture that encourages scanning QR codes only from trusted sources and verifying the destination URL before proceeding.
5. Monitor for Anomalous Deep‑Link Usage: Detect patterns such as repeated login prompts or payment requests originating from QR codes.

Unit 42’s incident response team is available for organizations that suspect compromise. Contact details are listed in the original report.

Conclusion

The convergence of QR codes, URL shorteners, deep links, and direct APK distribution creates a potent phishing vector that bypasses traditional perimeter defenses. By combining technical controls with user awareness, organizations can reduce the risk posed by these evolving attack techniques.