We discuss the extensive use of malicious QR codes using URL shorteners, in-app deep links and direct APK downloads to bypass mobile security.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

QR codes are increasingly exploited for phishing attacks through three main vectors: URL shorteners that mask malicious destinations (11,000+ daily detections), in-app deep links that enable account takeovers on messaging apps like Telegram and Signal, and direct APK downloads that bypass app store security. Financial services face the highest risk (29% of attacks), with attackers leveraging QR code shorteners, payment deep links, and malicious gambling apps. Notable campaigns include Russian state-aligned actors targeting Ukrainian Signal users. Detection remains challenging as standard web crawlers cannot analyze in-app deep link behavior, requiring mobile sandbox environments for proper threat assessment.

Phishing on the Edge of the Web and Mobile Using QR Codes

Phishing QR Codes Not New, but a Growing Threat

In-App Deep Links Vulnerabilities: More Than Just Web Browsing

Bypassing App Store Security: Direct App Downloads