Towards preventing QR code based attacks on android phone using security warnings

  • Authors:

  • Huiping Yao;Dongwan Shin

  • Affiliations:

  • New Mexico Tech, Socorro, New Mexico, USA;New Mexico Tech, Socorro, New Mexico, USA

  • Venue:
  • Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
  • Year:
  • 2013

Quantified Score

Hi-index 0.00

Visualization

Abstract

QR (Quick Response) code has become quite popular in recent years due to its large storage capacity, ease of generation and distribution, and fast readability. However, it is not likely that users will be able to find out easily the content encoded, typically URLs, until after they scan QR codes. This makes QR codes a perfect medium for attackers to conceal and launch their attacks based on malicious URLs. We believe that security hardening on QR code scanners is the most effective way to detect and prevent the potential attacks exploiting QR codes. However, little attention has been paid to the security features of QR code scanners so far in literature. In this paper, we investigated the current status of existing QR code scanners in terms of their detection of malicious URLs exploited for two well-known attacks: phishing and malware. Our study results show the existing scanners either cannot detect or can very poorly detect those two attacks. Hence, we propose a QR code solution called SafeQR that enhances the detection rate of malicious URLs by leveraging two existing security APIs to detect phishing and malware attacks: Google Safe Browsing API and Phishtank API. Additionally, a visual warning scheme was carefully designed and implemented to enable users to better heed warnings. A user study was designed and conducted to investigate the effectiveness of our scheme compared with the methods adopted by existing QR code scanners.