Long conversations and persuasion are no longer needed to completely lose control.
Familiar QR codes, increasingly common in advertising, websites, and apps, are gradually becoming a convenient tool not only for businesses but also for attackers. Unit 42 at Palo Alto Networks described how attackers are using QR codes to lure victims beyond traditional security measures and exploit more vulnerable scenarios on personal smartphones.
The report's authors identified three most notable techniques. The first involves services that combine QR code generation and link shortening. Such QR codes lead not to the final website, but to an intermediate address with redirects, and the owner can quickly change the final destination. According to Unit 42 telemetry, over 11,000 malicious QR code detections are recorded on average per day. In offline web crawling, specialists find approximately 75,000 QR codes daily, and approximately 15 percent of these pages contain codes that lead to dangerous links.
The second technique is embedding deep links, which are links that open a specific screen within a mobile app and trigger an action without a typical web navigation. This complicates analysis, as standard web scanners often don't see what exactly happens after scanning. There are scenarios where deep links prompt users to log in to a messenger, link a device, send a message, or proceed to a payment action. In Unit 42's sample, the share of deep links in QR codes was approximately three percent, with the most common links for Telegram, XHS Discover, and Line. Examples of attacks on Signal and WhatsApp using device linking mechanisms were also described.
The third risk is related to attempts to bypass app store checks. Analysts discovered 59,000 pages with QR codes leading directly to downloads of Android apps in APK format, counting a total of 1,457 unique files. A significant portion of these downloads are associated with gambling services, where the installer requests permissions that appear excessive for the intended function, including access to the camera, geolocation, and storage.
The report also notes the industry breakdown of attacks compromising QR codes through URL shortening services: the financial sector accounted for 29 percent of such cases, followed by high-tech with 19 percent, and wholesale and retail with 14 percent. However, the share of financial QR links in overall traffic is significantly lower, highlighting the targeted nature of the abuse.
Palo Alto Networks attributes the rise of quishing to the fact that QR codes have become routine, and mobile scenarios give attackers more ways to hide their end goal behind redirects and in-app actions.
Familiar QR codes, increasingly common in advertising, websites, and apps, are gradually becoming a convenient tool not only for businesses but also for attackers. Unit 42 at Palo Alto Networks described how attackers are using QR codes to lure victims beyond traditional security measures and exploit more vulnerable scenarios on personal smartphones.
The report's authors identified three most notable techniques. The first involves services that combine QR code generation and link shortening. Such QR codes lead not to the final website, but to an intermediate address with redirects, and the owner can quickly change the final destination. According to Unit 42 telemetry, over 11,000 malicious QR code detections are recorded on average per day. In offline web crawling, specialists find approximately 75,000 QR codes daily, and approximately 15 percent of these pages contain codes that lead to dangerous links.
The second technique is embedding deep links, which are links that open a specific screen within a mobile app and trigger an action without a typical web navigation. This complicates analysis, as standard web scanners often don't see what exactly happens after scanning. There are scenarios where deep links prompt users to log in to a messenger, link a device, send a message, or proceed to a payment action. In Unit 42's sample, the share of deep links in QR codes was approximately three percent, with the most common links for Telegram, XHS Discover, and Line. Examples of attacks on Signal and WhatsApp using device linking mechanisms were also described.
The third risk is related to attempts to bypass app store checks. Analysts discovered 59,000 pages with QR codes leading directly to downloads of Android apps in APK format, counting a total of 1,457 unique files. A significant portion of these downloads are associated with gambling services, where the installer requests permissions that appear excessive for the intended function, including access to the camera, geolocation, and storage.
The report also notes the industry breakdown of attacks compromising QR codes through URL shortening services: the financial sector accounted for 29 percent of such cases, followed by high-tech with 19 percent, and wholesale and retail with 14 percent. However, the share of financial QR links in overall traffic is significantly lower, highlighting the targeted nature of the abuse.
Palo Alto Networks attributes the rise of quishing to the fact that QR codes have become routine, and mobile scenarios give attackers more ways to hide their end goal behind redirects and in-app actions.
