Mobile Security Woes

QR codes as malware vector.

(via @grecs)

QR codes (those black and white squares that are the evolution of bar codes) are certainly handy for getting information onto smartphones.  Companies know that few customers are going to manually enter a URL to get to an app or visit a website.  A lot more people will scan a code to check something out.

The codes are sort of like the various URL shortening services.  You have no idea what you are actually being sent to by looking at it, so you just have to trust the source that is providing this link/code to you.

That doesn’t really sit well, and the linked article shows how it’s beginning to be abused.

Some HTC Android phones reveal personal info. 

(Threatpost writeup, Original source)

HTC has a bit of custom code running on some of their Android smartphones that grabs all sorts of logging information.  It’s not clear if this is for debugging purposes, data aggregation, or something else, but the main problem is that ANY app with basic internet permissions can call this logging framework.  From there the logs can be dumped and reveal just about everything stored on the phone.

Now we just wait for some enterprising folks to combine these two things and put out a QR code that downloads an app that looks harmless, but secretly sends everything about your phone usage to a database somewhere in eastern Europe.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s