Phishing on the Edge of the Web and Mobile Using QR Codes

This Unit 42 report examines the growing misuse of QR codes for malicious purposes: attackers leverage QR-code shorteners to hide destinations, in‑app deep links to trigger account logins or app actions (enabling messenger account takeovers and payment fraud), and QR-linked direct APK downloads to distribute malicious Android apps. Telemetry shows thousands of malicious QR detections daily, targeted campaigns (including Signal targeting in the Russia–Ukraine context), multiple observed attack scenarios (financial fraud, contact/calendar poisoning, device linking), and numerous IOCs provided for detection and mitigation.