I Scanned a QR Code and It Downloaded Something — What to Do Now

Q: Can a QR code automatically download something to my phone?

A QR code itself cannot force a download — it can only open a URL. But the website that URL points to can trigger a file download automatically when the page loads, or prompt you to save a file. On modern iOS and Android devices, browsers will ask for confirmation before saving most file types. If something downloaded without any prompt, it was likely a small file type (PDF, calendar event, contact card) that your browser handles silently, or you may have tapped a confirmation you didn't notice. Executable files (.apk, .ipa, .exe) require an additional install step beyond the download itself.

Q: How can I tell if the downloaded file is dangerous?

Check the file type first: PDFs, images, and calendar files (.ics) carry low risk if you haven't opened them yet. Android Package (.apk) files are the highest risk — they can install apps that access your contacts, camera, and messages. A file with a mismatched name and extension (e.g., 'invoice.apk' or 'receipt.pdf.exe') is a major red flag. Do not open the file. Delete it from your Downloads folder and run a scan with a reputable security app (Malwarebytes or Bitdefender on Android) if you're unsure.

Q: What if I already opened the file that downloaded from the QR code?

If you opened a PDF or image and it looked normal, your risk is relatively low — though malicious PDFs can exploit unpatched viewer vulnerabilities, so update your apps immediately. If you opened an .apk and tapped 'Install,' an app may now be running on your device. Go to Settings → Apps, find any app you don't recognize installed around that time, and uninstall it. Change passwords for your email and banking accounts as a precaution. If your phone is behaving strangely — battery draining, data spiking, unfamiliar notifications — consider a factory reset.

You scanned a QR code and your phone started downloading a file you didn't ask for. Before you open it, here's how to figure out what it actually is, how dangerous it could be, and the exact steps to handle it safely.

What QR codes can actually cause to download

A QR code is just a link. When your phone scans it, your browser opens the URL — and that page can trigger a download the same way any website can. What gets downloaded depends entirely on what the attacker (or the legitimate site) put there.

Common things QR code scans can push to your phone:

PDF files. Often disguised as invoices, receipts, parking tickets, or delivery notices. Most PDFs are harmless to view, but malicious PDFs can exploit vulnerabilities in unpatched PDF readers to execute code.
Android Package files (.apk). These are installable Android apps. Downloading an .apk does not install anything — but if you then tap “Install,” you could be installing spyware, adware, or a banking trojan. iOS blocks .apk files entirely; they're Android-only.
Configuration profiles (.mobileconfig on iOS). Scammers use these to install a custom VPN or certificate that routes your traffic through their servers, letting them intercept your browsing. iOS requires explicit user approval to install a profile, but the prompt can be confusing.
Calendar events (.ics). Low risk on their own — they add a calendar appointment. But the event description may contain spam links, and the invite can look like a legitimate notification.
Contact cards (.vcf). Harmless unless the embedded phone number or email is designed to trick you into calling a scam number later.

The most dangerous downloads are .apk files on Android and .mobileconfig profiles on iOS. PDFs are worth being cautious about. Everything else carries lower immediate risk.

Do not open the file yet — check this first

Before you tap the downloaded file, take thirty seconds to assess it:

Find the file. On Android, open the Files app or your Downloads folder. On iPhone, check the Files app (Downloads) or your browser's download history.
Look at the file name and extension. A file called receipt.pdf or event.ics is what it says it is. A file called invoice.apk, update.exe, or anything ending in .apk that you didn't expect is a serious red flag — do not open it.
Check the file size. A blank one-page PDF used as a phishing lure is often suspiciously tiny (a few KB). A real invoice or menu PDF is usually at least 50–200 KB.
Consider context. Were you expecting to download something from that QR code? A restaurant menu QR code should open a web page, not push a PDF download to your phone. An unexpected download is always suspicious.

If anything looks off, delete the file immediately. Do not open it to “check what it is” — that is exactly the moment malicious code can execute.

What to do right now

If you haven't opened the file

Delete the file from your Downloads folder without opening it.
Clear your browser cache: Safari → Settings → Clear History and Website Data; Chrome → Settings → Privacy → Clear browsing data.
No further action is needed unless the QR code also took you to a page where you entered personal information.

If you opened a PDF or image

Update your PDF reader app and your phone's operating system immediately — patches close the exploits malicious PDFs target.
Delete the file.
Monitor your accounts for the next 24–48 hours for unusual activity.
If the PDF contained a link and you tapped it, treat that separately — apply the same steps as any phishing link.

If you downloaded and installed an .apk (Android)

Go to Settings → Apps and look for any app you don't recognize that was installed recently. Uninstall it.
Check app permissions: Settings → Apps → (app name) → Permissions. Revoke any that seem excessive.
Change passwords for your email and banking apps as a precaution — start with email since it's the master key to everything else.
Run a scan with Malwarebytes or Bitdefender for Android.
If your phone is behaving strangely after uninstalling (battery draining fast, data spiking, unfamiliar pop-ups), perform a factory reset after backing up your photos and contacts.

If you installed a configuration profile (iOS)

Go to Settings → General → VPN & Device Management.
If you see a profile you don't recognize, tap it and select Remove Profile.
Remove any VPN configuration that appeared around the time of the scan: Settings → General → VPN & Device Management → VPN.
Change your Wi-Fi and Apple ID passwords as a precaution.

How to prevent unexpected QR code downloads

The fundamental problem is that QR codes hide their destination — and their destination can trigger a download instantly. A few habits make a real difference:

Use a scanner that previews the URL before opening it. QRsafer shows you the destination URL and runs a safety check before your browser loads anything. A page that auto-downloads a suspicious file will be flagged before you land on it.
Keep your OS and apps updated. The exploits that malicious PDFs and .apk files rely on are routinely patched. An up-to-date device is dramatically less vulnerable.
Never install an app via a QR code. If a QR code download is an .apk file, delete it. Real apps are distributed through the App Store or Google Play — never through a URL from a random code.
Never install an iOS configuration profile you didn't request. If anything prompts you to install a profile after scanning, decline and close the page immediately.

Frequently asked questions

Can a QR code automatically download something to my phone?

A QR code can only open a URL — it cannot download anything by itself. But the page that URL opens can trigger a download automatically, the same way any website can. On modern iOS and Android, your browser will usually show a confirmation before saving a file, but small file types (PDFs, calendar files) may be handled silently. Executable files like .apk require an explicit install step beyond the initial download.

How can I tell if the downloaded file is dangerous?

Check the file extension. .apk files on Android are the highest risk — they install apps. .mobileconfig files on iOS can route your traffic through a scammer's servers. PDFs carry moderate risk if your viewer is unpatched. Calendar (.ics) and contact (.vcf) files are low risk. Any file with a mismatched name and extension — like “invoice.apk” or “receipt.pdf.exe” — is a red flag. When in doubt, delete the file without opening it.

What if I already opened the file that downloaded from the QR code?

If you opened a PDF or image and it seemed normal, update your apps and OS immediately to patch any vulnerabilities, then delete the file. If you opened and installed an .apk, go to Settings → Apps on Android, find and uninstall any unfamiliar app installed around that time, and change your email and banking passwords. If your phone is behaving strangely afterward, consider a factory reset after backing up your photos and contacts.

See where a QR code goes before it can download anything

QRsafer previews the destination URL and checks it for threats before your browser opens it — so a page that pushes malicious downloads gets flagged before it loads. Free on iOS and Android.

Download for iOS Download for Android