Friday, 14 February 2014
However, it makes sense to initiate the attack with a QR code because that's one way mobile device users visit websites. QR codes are also very visual and so help make demonstration videos more dramatic.
The really important point to take away from this attack is that users do not have to allow any new (malicious) application to run. This is not a social engineering attack in which the user is tricked into installing a malicious application.
They simply need to visit a website (QR code-initiated or not) and the attacker is able to run commands on their device.
It is possible that there are earlier demonstrations of Android-based automatic (aka 'drive-by') attacks, but I've not seen any until now.