Can a QR code install malware on my phone?
A QR code itself cannot run code, but it can direct your phone to a malicious website that tries to download malware or phish your credentials.
Last reviewed: 1 June 2026
Explanation
QR codes are simply machine-readable links. When you scan one, your phone opens the encoded URL. If that URL leads to a site that exploits a browser vulnerability, mimics a login page to steal credentials, or prompts you to download a malicious app outside your official app store, your device or accounts can be compromised. Scammers place fake QR codes over legitimate ones in public places such as parking meters, restaurant tables, posters, and delivery notices. The risk is especially high if your phone OS or browser is not updated. Always preview the URL before opening it, and be cautious about scanning codes in unexpected places.
Common red flags
- QR code on a sticker placed over an existing code in a public place
- URL shown after scanning looks unfamiliar or misspelled
- Code arrives unsolicited by text, email, or post
- Page asks you to log in to an account after scanning
- Page prompts you to download an app from an unofficial source
What to do now
- Preview the URL before opening — most phone cameras show a preview
- Keep your phone OS and browser updated to patch vulnerabilities
- If you visited a suspicious site, change relevant passwords and run a security check
- Report fake QR codes to the venue or local authority responsible for that location
Frequently asked questions
Is it safer to scan QR codes with a dedicated app rather than my camera?
Using a reputable QR scanner that shows a URL preview before loading it adds a layer of protection. However, the risk lies in the destination website, not the scanning method itself.