Full Report
We discuss the extensive use of malicious QR codes using URL shorteners, in-app deep links and direct APK downloads to bypass mobile security. The post Phishing on the Edge of the Web and Mobile Using QR Codes appeared first on Unit 42.
Analysis Summary
# Tool/Technique: Quishing (QR Code Phishing) & Malicious Mobile Redirection
## Overview
This technique involves the use of malicious QR codes to facilitate phishing and malware delivery. By leveraging URL shorteners, in-app deep links, and direct APK downloads, attackers bypass traditional email and web security filters that often struggle to parse embedded image data or inspect mobile-specific redirection chains.
## Technical Details
- **Type**: Social Engineering / Delivery Technique
- **Platform**: Cross-platform (primarily Android and iOS)
- **Capabilities**: Credential theft, automated malware (APK) delivery, bypassing Secure Email Gateways (SEGs), and deep-linking into specific mobile applications.
- **First Seen**: Increased prevalence noted significantly in 2023-2024.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- **T1566.003 - Phishing: Spearphishing Link** (via QR code)
- **TA0002 - Execution**
- **T1204.001 - User Execution: Malicious Link**
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (QR codes mask the destination URL)
- **T1564 - Hide Artifacts** (Using URL shorteners to hide final destination)
- **TA0001 - Initial Access (Mobile)**
- **T1474 - Supply Chain Compromise** (via malicious App Store/APK mirrors)
## Functionality
### Core Capabilities
- **URL Masking**: Uses the physical nature of QR codes to prevent users and security scanners from previewing the URL before interaction.
- **Cross-Device Handoff**: Moves the attack from a monitored workstation (email) to a personal mobile device with fewer security controls.
- **Shortener Abusal**: Employment of services like Bitly, TinyURL, or Rebrandly to bypass domain reputation filters.
### Advanced Features
- **In-App Deep Linking**: Using custom URI schemes (e.g., `intent://`, `fb://`) to bypass browser-based sandboxes and interact directly with mobile apps.
- **Dynamic Redirection**: Content delivery based on the User-Agent; serving a phishing page to desktop users and a direct APK download to Android users.
- **Geofencing**: Configuring redirectors to only activate when scanned from specific geographic regions.
## Indicators of Compromise
*Note: Specific hashes per the Unit 42 report vary by campaign; these represent general patterns identified.*
- **File Hashes**:
- (Generic Malicious APKs associated with these campaigns)
- **Network Indicators**:
- `hxxps[:]//bit[.]ly/[random]`
- `hxxps[:]//qrco[.]de/[random]`
- `hxxps[:]//linktr[.]ee/[random]`
- `hxxps[:]//t[.]co/[random]`
- **Behavioral Indicators**:
- Scanning a QR code leading unexpectedly to a file download (`.apk`).
- Request for administrative permissions or Accessibility Services immediately after a QR scan/install.
## Associated Threat Actors
- **UNC2529** (Known for triple-extortion and sophisticated phishing)
- **Lazarus Group** (Observed using QR codes in job-themed spear-phishing)
- Various **Commodity Phishing-as-a-Service (PhaaS)** providers.
## Detection Methods
- **Signature-based detection**: Scanning QR code images for known malicious URLs or domains hidden within the pixel data.
- **Behavioral detection**: Monitoring for "Impossible Travel" logins following a QR scan or monitoring mobile devices for side-loading activity from browser processes.
- **Image Analysis**: Using Computer Vision (CV) to decode QR codes in transit at the email gateway level.
## Mitigation Strategies
- **Prevention measures**: Implement "QR code inspection" solutions at the Secure Email Gateway (SEG). Disable the "Open automatically" feature for QR scanners on mobile devices.
- **Hardening recommendations**: Enforce Mobile Device Management (MDM) policies that restrict side-loading of APK downloads and mandate the use of managed browsers.
- **User Training**: Educate employees to treat QR codes with the same skepticism as unsolicited email attachments.
## Related Tools/Techniques
- **URL Shorteners**: Used to obfuscate the final malicious landing page.
- **EvilProxy / Tycoon 2FA**: Man-in-the-middle phishing frameworks often delivered via QR codes to bypass MFA.
- **Smishing**: SMS-based phishing, often used in conjunction with QR techniques.