Can a QR Code Listen to Your Microphone?
No — scanning a QR code cannot automatically activate your microphone. The scan only reads a URL; it does not execute any code and cannot touch your phone's hardware. However, the website a QR code opens can request microphone access, and some scam sites are designed to do exactly that. Here is what can and cannot happen, and how to stay in control.
What the QR scan itself can and cannot do
A QR code is a visual representation of a URL — nothing more. When your camera reads the pattern, it decodes that URL. No software runs, no permissions are checked, and no sensor is switched on by the act of scanning.
The microphone risk only begins when you tap through to open the website the QR code points to. At that point the site can behave like any other webpage — and any webpage can ask your browser for microphone access.
Your phone always asks first
iOS and Android both require an explicit permission dialog before any website can use your microphone. You will see a browser prompt — “[site] wants to use your microphone” — and you must tap Allow. There is no mechanism for a website to bypass this requirement. If you tap Block or Don't Allow, the site cannot hear anything.
When a QR code microphone risk is real
There are two realistic scenarios where a malicious QR code could eventually reach your microphone — both require you to take an action beyond the initial scan:
Scenario 1 — you tap Allow on a fake permission prompt
The QR code opens a browser page designed to look like a video-call check-in, an identity-verification portal, or a “prove you're human” audio CAPTCHA. The page requests microphone permission through the standard browser dialog. If you tap Allow, the site can capture live audio until you close the tab or revoke access.
The tell: the browser dialog shows the domain making the request. If it is not a service you recognise and sought out — a Zoom meeting you booked, a bank you called — tap Don't Allow and close the tab.
Scenario 2 — the QR code leads to a rogue app install
A QR code redirects to a page offering an APK download (Android) or an unofficial app profile (iOS via TestFlight or MDM), and you install it. A malicious app can request microphone permission through its own install or onboarding flow — separate from the browser entirely. This is rare and requires multiple deliberate steps: downloading the file, confirming installation from an unknown source on Android, and then granting the app microphone access when it asks.
What a QR code cannot do to your microphone
- Activate your microphone silently at the moment of scanning
- Bypass the browser's microphone permission dialog
- Access your microphone in the background while the browser tab is closed
- Read audio from other apps or your phone's call history
- Carry over microphone access across browser sessions after you revoke it
Modern mobile operating systems were specifically designed to prevent silent sensor access. A website opening in a browser runs in a sandboxed environment that cannot touch hardware without going through the OS permission layer — a layer that always surfaces a visible dialog to the user.
How to check and revoke microphone permissions
If you think you may have tapped Allow on an unexpected permission prompt after scanning a QR code, close the browser tab immediately — that stops live access. Then revoke the permission so the site cannot ask again:
On iPhone (iOS)
Settings → Privacy & Security → Microphone — toggle off your browser (Safari, Chrome, Firefox) or any app you do not recognise.
For per-site Safari control: Settings → Safari → Advanced → Website Data — find the suspect domain and remove it.
On Android
Settings → Privacy → Permission Manager → Microphone — find your browser and set it to “Ask every time” or “Denied.”
In Chrome: tap the lock icon in the address bar while on the suspicious site → Site settings → Microphone → Reset to Ask.
Stop the threat before any permission dialog appears
The browser's microphone dialog is your last line of defence — but the site has already loaded by the time it appears. QRsafer checks the destination URL against real-time threat intelligence the moment you point your camera at a code, before you tap through. If the destination is flagged as risky or dangerous, you see the warning before any page loads — and before any permission request fires.
A site you never open cannot request your microphone. That is the simplest protection available.
Frequently asked questions
Can a QR code activate my microphone without me knowing?
No. Scanning a QR code only reads the URL inside it — the scan itself activates no hardware. Only a website opened after the scan can request microphone access, and your phone will always show a permission dialog requiring you to tap Allow first. Nothing happens silently.
What would a malicious QR code have to do to reach my microphone?
It would need to open a webpage disguised as a legitimate service — a video call, identity check, or audio CAPTCHA — and you would have to tap Allow on the browser's microphone permission dialog. Alternatively, if the code led you to install a rogue app, that app could request microphone access during installation. Both paths require your active approval.
How do I check and revoke microphone permissions on my phone?
On iPhone: Settings → Privacy & Security → Microphone — toggle off any browser or app you do not recognise. On Android: Settings → Privacy → Permission Manager → Microphone — revoke access for any unfamiliar entry. In Chrome, tap the address-bar lock icon on the suspect site and reset the Microphone permission to Ask. Closing the browser tab stops live access immediately; revoking the permission prevents future requests.
See the URL before the page — or any permission prompt — loads.
QRsafer checks the destination URL against real-time threat databases the moment you aim your camera — giving you a Safe, Risky, or Dangerous verdict before you tap through and before any permission dialog can appear. Download it free for iOS and Android.