We’ve seen QR code attacks before. They revolve around the obfuscatory nature of QR codes: you can’t tell by looking at one where it’ll send your device when you scan it. Therefore, the destination site might be host to a drive-by exploit. The link itself could, theoretically, even exploit the scanning software.
How does the attacker get you to scan a bad code? Well, by putting it in front of you. This doesn’t necessarily mean buying lots of ads and putting bad QR codes on them; that could be easily traced. They can just go around slapping malicious QR code stickers over the QR codes on legit ads. It’s not like anyone’s going to look closely…
All the more reason to cast your smartphone into a concrete pedestal, and position it in a wide-open space. Why? Because you installed a special app on it, and the screen now says “Tap here for burrito”: http://hackaday.com/2012/12/09/the-burrito-bomber/
“QR codes are two-dimensional matrix barcode that can be scanned by smartphones that link users directly to a website without having to type in its address. By using QR codes (rather than links) as a jump-off point to dodgy sites, cybercrooks can disguise the ultimate destination of links.[…]
Warren Sealey, director enterprise learning and knowledge management, Symantec Hosted Services explained: “we’ve seen criminals using bad QR codes in busy places putting them on stickers and putting them over genuine ones in airports and city centres.”