Malicious Techniques in the Mobile Market

Written by Michael Whittington

When 2012 was first taking shape I made a bold statement: a QR code cannot contain a virus. As the year, and on the day this is posted, the world (supposedly) comes to an end my claim still rings true. Unfortunately, QR code generator software is still being used by some for foul deeds. ABC News agrees that neither the code nor the scanning action is the problem, it's the destination. They stress, however, scanning one can mess up your phone indirectly if you don't take the proper precautions.

By now we're mostly familiar with a mobile text marketing incident where a Russian site used QR code generator software to display a code that would send a premium text message, charging the user $6 when it is scanned. Although this was the most publicized, QR codes are being used to scam people every day. Malicious techniques come in many forms and can affect you in more ways than a costly mobile text marketing charge. Familiarize yourself with the most prevalent.

Let's start with clickjacking. Clickjacking is arguably the most common malicious technique used against the mobile market. It involves disguising a website by essentially lying about what certain buttons do. For example, a harmless popup window could begin downloading malware onto your device after you click X to close it granted the X button is linked to do so. Some attackers take clickjacking a step further and create entire websites designed like others. Perhaps in the past year you have seen some interesting posts on Facebook. One of your friends is seemingly sharing an article with a very captivating title and a picture of a half-naked woman for the thumbnail. When you attempt to click on it you are brought to a page with a Captcha that, after you fill it out and press enter, causes you to share the link too.

Clickjacking is far from a new concept but recently mobile marketing blogs have reported it transcending the bridge between digital and print. That bridge of course being QR codes. Scammers are using QR code generator software to print out stickers and fix them on top of QR codes on fliers and other print advertising. Someone may scan an advertisement with confidence, but the ad had been doctored after the fact and instead of leading to, say Tommy Hilfiger's website, it leads to a similar looking website that may attempt to download malware to your phone. Although I had pondered the possibility, I had never heard the wretched tale of it being done until last week when The Register posted a mobile marketing blog warning people to check every QR code they scan and make sure it isn't a sticker. Despite my recent discovery, it has been happening a while. ABC2 reported on it in mid-2011.

Even less forgiving than clickjacking is drive by downloading. This requires no user interaction, it will simply begin downloading if a user visits a website. To prevent drive by downloading on your phone, be sure you're using a QR code scanning app that allows you to preview a website before actually visiting it. If you are led astray and accidentally visit a malicious site, most phones come preprogrammed with mobile marketing software that detects when a file is attempting to be downloaded and you can confirm or deny it.

Wi-Fi sniffing is another technique used for harming people's smartphones and other devices that connect wirelessly. You probably own some piece of technology with the ability to connect to a wireless network automatically given you have the permissions. This feature makes our lives easier. I know I'd hate to have to type in my complex WPA password every time I sit down with my laptop at home. However, it is this same technology that allows for Wi-Fi sniffing to take place. Some simply want to avoid the cost of internet access while others use their access to particular networks to wreak havoc. Damage can be done to the mobile market in mass quantities, and quickly, when Wi-Fi sniffing is coupled with a few malicious hackers in a moving vehicle.

If you come to and click Blog, you'll find my wonderful ramblings. However, you can also go to and access this mobile marketing blog directly. Neither is problematic. However, if the Blog page was intended to be hidden or required authentication to access, then it would be a problem. Accessing restricted parts of websites using this method, often coupled with hacking and stealing the parameters from another user is known as forceful browsing.

email us

Email *
Subject *
Anti-spam question: How Many Days in a week?