The time it takes for a theoretical cyberattack to become one that actually exists in the wild is, in the case of a new Android threat, shockingly brief.
A few weeks ago, a researcher from the mobile security blog Kaotico Neutral demonstrated how QR tags — stamp-size digital bar codes which transmit data directly to smartphones — could easily be rigged to attack. Found on everything from subway advertisements and coupon flyers to bottles of shampoo, these tags, the researcher posited, would make them a dangerous weapon if an attacker injected them with some sneaky, harmful code.
It took less than a month for the imaginary scenario to become a frighteningly real one. The security firm Kaspersky Lab discovered QR tags embedded with code that directs the Android smartphones that interact with them to malicious websites hosting an Android Trojan.
"Once installed, the Trojan will send a number of SMS messages to premium-rate numbers which will end up costing the victim some money, depending on how quickly she is able to find and remove the Trojan," Kaspersky Lab's Dennis Fisher wrote. Each text message costs victims $6, and with the onslaught of high-priced messages comes "JimmRussia," an icon that automatically installs itself on the menu screen of infected phones. The offending Trojan is called Trojan-SMS.AndroidOS.Jifake.f.
QR tags aid in the propagation of mobile phone scams like this because of the way the tags are configured to interact with smartphones. Many QR tags automatically redirect mobile Web browsers to websites without first displaying the URL.
Kaspersky Lab's Denis Maslennikov said it was inevitable that cybercriminals would eventually exploit QR tags to spread mobile malware.
"Usage of QR codes for malware spreading was predictable," he wrote. "And as long as this technology is popular, cybercriminals will use it."