If you just scanned a QR code and now you're wondering whether an app quietly appeared on your phone, take a breath. The short answer is: no, that is not how QR codes work. But the longer answer reveals a few real risks worth understanding — especially if you're on Android.
What QR codes can and cannot do on their own
A QR code is just a link in disguise. When your phone's camera scans one, it reads the encoded URL and either opens it in a browser or hands it off to an app that handles that URL type. That's it. There is no mechanism for a QR code to reach into your phone, communicate with the operating system, and install software — any more than clicking a link on a webpage can install an app without your involvement.
On iOS: Apple's sandboxing model means apps can only be installed through the App Store. There is no way to sideload an app from a QR code on a standard iPhone — full stop. If a QR code opens the App Store on an app's page, you still have to tap "Get" and authenticate with Face ID, Touch ID, or your Apple ID password. Nothing installs without that confirmation.
On Android: The same principle applies under normal settings. Apps install from Google Play, and sideloading an APK from outside the Play Store requires you to first go to Settings, find the specific browser or file manager you want to grant permission, toggle "Allow from this source," and then approve the installation dialog that appears when the APK is opened. A QR code cannot bypass any of those steps.
What CAN happen — and what to watch for
Knowing that silent installation is impossible doesn't mean there's zero risk. Here's where things can go wrong:
Deep links to app store pages. A QR code can open the App Store or Play Store directly on an app's install page. If you tap "Install" on autopilot — especially if the page is designed to look like a service you already use — you could install something you didn't intend.
Fake app store pages. A malicious QR code can point to a webpage that closely mimics the App Store or Play Store. It might show a fake download button that triggers an APK file download (on Android). If you tap through the warnings and approve the install, a malicious app can get onto your device. iOS is substantially more protected here because there is no APK equivalent for standard devices.
Browser exploit redirects. On very outdated devices running unpatched browsers, certain malicious pages have historically been able to exploit vulnerabilities to gain elevated access. This is rare and typically patched quickly, but it's why keeping your OS and browser updated matters.
How to check if anything was installed
If you're worried something snuck through, here's how to check:
On Android: Open Settings > Apps (or Application Manager). Tap the sort icon and select "Last updated" or sort by install date. Any app installed recently will appear at the top. Look for anything unfamiliar.
On iOS: Swipe down on your home screen to open Spotlight Search and type the name of any app you're worried about. Alternatively, swipe all the way left to the App Library and browse the "Recently Added" category — it shows apps installed most recently at the top.
If nothing new appears, nothing was installed.
The bottom line
QR codes cannot install apps without your knowledge or consent on any modern smartphone. What they can do is open app store pages, redirect you to convincing fake download sites, or link directly to APK files on Android. Your defense is simple: preview the destination URL before tapping anything, and never approve an install dialog for software you didn't go looking for.
For related reading, see what happens when a QR code takes you to the App Store, whether a QR code can track your location, and whether scanning a QR code can give someone access to your phone.
Download QRsafer for iOS or Android to preview any QR code destination before it loads — before any install prompt can appear.