Google Camera update fixes issue that randomly changed QR code URLs on Android 12

Read update

The issue has been fixed

QR codes have become a ubiquitous part of everyday life, whether you like them or not. But they can also pose a security risk, as you can’t see at a glance to which website they’re directing you. While scanner apps usually show which URL is hidden inside a QR code, the Google Camera app apparently went a step further and tried to autocorrect URLs it deems wrong, leading to more problems than solutions.

Thankfully, Google has reacted quickly and has already provided a fix, just a few days after the story initially broke. The latest version of Google Camera doesn't exhibit the problem anymore.

As reported and investigated by German publication Heise, Google Camera routinely ran into at least three distinct errors. The first one revolves around a few country-code top level domains (ccTLD), and it doesn’t matter if a QR code only directs you to an affected domain (like the non-existent Austrian https://fooco.at) or if it links to further directories (https://fooco.at/bar/index.htm). If the domain’s second level (fooco) ends with certain strings, Google Camera will automatically insert a dot, turning a link like https://fooco.at into https://foo.co.at. Heise tested further combinations and found that the issue also exists for .au, .br, .hu, .il, .kr, .nz, .ru, .tr, .uk, and .za. The affected strings at the end of the second level include co, com, ac, net, org, gov, mil, muni, and edu, but not or, gv, and k12.

QR code Heise misreading Android 12 — Credit: Heise

The second issue deleted some strings altogether, and again, only specific strings are affected. Here, the problem crops up for top-level domains that are longer than two letters (like the Catalonian .cat). Heise reports that Google Camera swallows the strings following the initial two, turning something like the Catalonian independence referendum’s address (https://referendum.cat) into the non-existent Canadian address https://referendum.ca. The same problem exists for .int, .pro, .travel, .apple, .bet, .beer, and .amex, with almost all of these being cut down to the first two letters (.apple being the exception in turning into .app). The problem also affects newer TLDs like .army, .art, .arte, .arab, .audio, .auto, and .autos.

Security researcher Adrian Dabrowski discovered a third problem that affected numbers in the subdomain (usually the www part). Here, Google Camera would once again arbitrarily add a dot, turning legitimate addresses like the Royal Bank of Canada’s https://www6.rbc.com into the 404-ing https://www.6.rbc.com. While you probably shouldn’t use a random QR code to access your online banking address, the problem might be more relevant for addresses like New York City’s https://www1.nyc.gov, which Google Camera turns into https://www.1.nyc.gov.

If you wanted to go wild, you could even combine error 3 with error 1 or 2, turning addresses like https://www2co.at into https://www.2.co.at.

Heise cites security researcher Dabrowski who suspects that the issues might have been related to a controversial change introduced in Chrome. The browser hides full URLs in the address bar for the sake of simplification, omitting some of the same parts as Google Camera. Just look up our address in Chrome’s address bar. You won’t see https://www.androidpolice.com/ — it will be androidpolice.com. While it’s understandable that Google tries to save as much space as possible when displaying URLs on small screens, these space-saving measures shouldn’t lead to errors carrying over into your browser, said Dabrowski.

However, the issue affected any browser, so even if you had, say, Firefox set as your default browsing app on your Android 12 device, you’d still be directed to the wrong link whenever you scanned a QR code using Google Camera.

Google Camera only reads QR codes when you activate Google Lens suggestions in its settings, allowing you to “point your camera to scan QR codes and barcodes” using only the Google Camera app. Strangely enough, Heise reports that the Google Lens app itself works just fine for all kinds of QR codes and isn’t introducing any of the errors.

The problem could have been a big deal, because it potentially led people to malicious websites purposely set up to take advantage of these Google Camera rules. While an attack like this might not reach too many people, setting up an unclaimed website is easy enough — at least if the domain in question actually exists (which isn't the case for many of the errors introduced through Google Camera). Thankfully, most of the affected URLs were edge-cases, and it’s pretty unlikely that Pixel owners would routinely run into addresses like these in the first place, given that Pixels are officially only sold in a few countries mostly not affected by the first error. And newly invented TLDs like .auto or .audio are still rare enough that they shouldn’t be a problem right now.

Heise was able to confirm its findings with the Pixel 3 XL, 3a, 4, 4a, 5, and 6 Pro on Android 12. A Pixel 3a running Android 11 didn’t exhibit the problem, but did after upgrading to the latest OS version — we presume that that also triggered a Google Camera update. We can corroborate Heise's findings with our own research on a Google Pixel 6 unit.

Luckily, Google worked hard to fix the problem quickly. Check the Play Store for a Camera update to version 8.4.400.423370569.19, which doesn't introduce these attempted corrections anymore. If it isn't available for you yet, you can also try downloading it over at APK Mirror.