Can QR codes contain viruses or malware?

A QR code is just a string of text encoded as a grid of dots. There is nothing executable inside it. You cannot “catch a virus” by scanning a QR code, in the same way you cannot catch a virus by reading a URL out loud.

The catch is that almost every QR you see in the wild encodes a URL — and a malicious URL is the same threat whether it arrives by QR, email, or text message. The QR is just the delivery method.

Here’s the honest, useful version of the safety conversation.

What’s actually inside a QR code

When you scan a QR, the decoder extracts a string. That’s it. Depending on the QR, that string might be:

• A URL (https://example.com) — by far the most common.
• A piece of text (“Closed for renovations until June 1”).
• A Wi-Fi credential (WIFI:S:CafeWifi;T:WPA;P:hunter2;;).
• A vCard (contact info).
• A phone number (tel:+1234567890) or an SMS (sms:+1234567890?body=Hi).
• A Bitcoin or other crypto payment URI.
• A geo coordinate (geo:40.7,-74.0).

Your phone reads the string and offers to do something with it — open a URL, join a Wi-Fi network, save a contact, dial a number, etc. The QR itself didn’t do anything. Your phone is reacting to a string.

So when can scanning a QR be dangerous?

There are a handful of specific risks, and all of them ultimately come down to “the QR pointed somewhere bad.”

1. Phishing — the most common by far

Someone replaces the legitimate QR on a parking meter, restaurant menu, or charity poster with a sticker pointing at a lookalike payment page. You scan it expecting paywithbank.example and end up at paywith-bank.example (note the dash). You enter your card details. They take your money.

This is plain phishing — the QR is just the lure. The defenses are the usual ones:

• Look at the URL before tapping, especially when money or credentials are involved. Most phones show a preview of the destination URL after a scan; don’t ignore it.
• Be suspicious of QR stickers physically pasted over an existing QR. A common attack on parking meters and tip jars.
• For payments, use the official app, not a QR scan, when one is available.

2. Malicious app installs (rare on iOS, possible on Android sideloads)

A QR could point at a .apk download for an Android user who has sideloading enabled, claiming to be a legitimate app. iOS doesn’t allow this without enrolling devices in MDM, so it’s primarily an Android concern.

Defense: never install an app from a sideload-only link, no matter how legitimate it looks. Stick to the App Store / Play Store.

3. “Quishing” attacks in email

Attackers embed a QR code as an image in a phishing email — instead of a clickable link — to bypass email security tools that scan URLs. The QR points at the same kind of credential-harvesting page; the QR is just the smuggling mechanism.

Defense: if an email asks you to “scan the QR to verify your account,” just don’t. Go to the service’s website directly.

4. Wi-Fi network spoofing

A QR offering “free Wi-Fi” can join you to an attacker-controlled network with a name that looks legit. Once on it, they can run man-in-the-middle attacks on traffic that isn’t HTTPS.

Defense: HTTPS protects most modern services regardless of the network you’re on, but it’s still worth being skeptical of unsolicited Wi-Fi QR codes — especially ones taped to a coffee shop wall by someone who doesn’t work there.

5. Drive-by browser exploits (very rare, very patched)

In theory, a malicious URL could trigger a previously unknown browser exploit and compromise the device with no further interaction. In practice this requires the attacker to have a working zero-day exploit and to spend it on a low-yield target.

Defense: keep your phone’s OS and browser updated. That’s it. This isn’t a QR-specific risk.

How to scan a random QR safely

The conservative routine, in order:

1. Look before you tap. Modern phone cameras show the decoded URL as a preview before opening it. Read the domain. Does it match what you expect?
2. Look for a padlock and a familiar domain if the page asks for credentials or payment.
3. Don’t install apps from QR-hosted download links. Go through the App Store / Play Store.
4. If anything feels off, close it. Phishing is a numbers game; you don’t owe a sketchy QR your time.

What about “malicious QR generators”?

There are scummier corners of the QR ecosystem — services that quietly insert their own redirect on top of your URL, services that bundle tracking pixels into the destination, etc. None of these put malware inside the QR. They just put themselves between you and your destination.

We have a whole post about that pattern — it’s the same redirect-middleman trick, applied to a slightly different problem.

TL;DR

• A QR cannot contain a virus. It contains text.
• The risk is whatever URL the QR points to. Treat scanning a QR exactly like clicking a link from an unknown source.
• Look at the destination before tapping. Be especially careful with payment, login, and Wi-Fi QRs.
• The codes you generate yourself with a tool like AFQR don’t carry any of these risks — you control the URL on the other side.