At the almost same time, we have two different QR code issues that affect Android and iOS devices respectively. But there is a difference. The one in the case of Android is a malware while it’s a bug for iOS.
Innocent Android QR code apps hide malware inside
The security firmSophosLabs discoveredsome Android malware apps living in the Play Store. These apps disguise themselves as QR code scanning and compass apps.
While this is not the first case of malware-infected apps finding a place on Google Play, the malwareAndr/HiddnAd-AJhidden in these apps was made to look like an Android programming library. Thus, they managed to bypass Google’s filtering system.
Google removed these QR code malware apps from the Play Store after they were downloaded more than 500,000 times.
QR code bug in iOS 11 Camera app
Now, for iOS, it’s not some malware hiding in plain sight on the App Store. A bug in the way the iOS 11 Camera app handles QR codes is pushing people towards malicious websites. The security researcher Romand Muller discovered the flaw.
The vulnerability allows a malicious link to be embedded in the QR code. After being scanned by an iPhone, for example, a QR code would display a link to visit Facebook.com via Safari browser. But in reality, it could redirect the user to some fishy website. Muller shared the demo of the bug in action on Twitter.
Apple iOS camera app doesn’t properly parse URLs in QR codes. It shows a different host in the notification than it really opens. As of now still unfixed:https://t.co/EMQk7uBQ9ipic.twitter.com/KE6EwYhj7s
— Roman (@faker_)August 20, 2025
In hisblog post(via9t05Mac), Muller said the problem is in the Camara app’s URL parser.
Here is an example code:
https://xxx@facebook.com:[email protected]/
According to Muller, the Camera app thinks that “xxx\” is the username which is to be sent to “facebook.com:443.” On the other hand, Safari considers “xxx@facebook.com” as username and “443” as a password to be sent to “infosec.rm-it.de.”
Because of this, a different hostname is displayed on the screen and the actual link visit is different.
Muller notified Apple about the vulnerability in December 2017, but it still remains unpatched after the release of iOS 11.2.6 update. The possibilities it opens are endless. For instance, it could be used to trick many uniformed iOS users into downloading malware or visiting a scam website.
