I Scanned a QR Code and It Installed an App — What to Do Now

What actually happened when you scanned that QR code

A QR code is just a URL. It cannot install an app by itself — but the page it opens can. Attackers use several methods to get malicious apps onto your device after a QR scan:

• Fake app store pages. The QR code opens a convincing lookalike of the App Store or Google Play, prompting you to install an app that isn't really from Apple or Google. On Android, this is often a direct .apk file download.
• Direct APK links (Android). The QR redirects to a web page that automatically downloads an Android Package (.apk) file. If your phone has “Install unknown apps” enabled for your browser, you'll see a prompt to install. On stock settings, you'll first be asked to enable that permission.
• Deep links to real app stores. Some QR codes legitimately link to an App Store or Play Store listing. Even if the listing looks real, verify the developer name matches the company you expected before installing.
• iOS configuration profiles (MDM). Rather than an app, the QR code may push an iOS profile that installs itself with your permission. Profiles can route your internet traffic through a scammer's servers and trust their certificates.
• TestFlight abuse (iOS). Scammers sometimes use Apple's TestFlight platform to distribute fake “beta” apps outside the App Store. A QR code can link directly to a TestFlight invitation.

The single most important question is: did you actually tap through and complete an installation? If you declined or closed the page, your risk is very low.

Triage: find out exactly what happened

Work through these checks in order before taking any other action:

1. Check your recently installed apps.
   • Android: Settings → Apps → sort by “Install time” (some versions: three-dot menu → Sort by install time). Look for anything unfamiliar installed in the past hour.
   • iPhone: Settings → General → iPhone Storage. Apps are listed with their last-used date. Look for any app you don't remember adding.
2. Check your Downloads folder. On Android, open the Files app. On iPhone, check the Files app under Downloads. Look for any .apk file — if one is there and you haven't opened it, delete it immediately.
3. Check for configuration profiles (iPhone). Go to Settings → General → VPN & Device Management. If you see a profile you don't recognize, that is the threat.
4. Look at your app permissions. On Android, go to Settings → Privacy → Permission Manager. Check which apps have access to your camera, microphone, contacts, or SMS — any unfamiliar app with broad permissions is a serious red flag.

What to do right now — based on what you found

You were prompted to install but declined

Your risk is low. Delete any .apk file that may have downloaded to your Downloads folder, clear your browser cache, and move on. No app was installed.

An app was installed that you don't recognize (Android)

1. Go to Settings → Apps, find the unfamiliar app, and tap Uninstall immediately.
2. Check Settings → Privacy → Permission Manager and revoke any permissions granted to that app.
3. Change passwords for your email and banking accounts — start with email, since it is the master key to all your other accounts.
4. Run a malware scan with Malwarebytes for Android or Bitdefender Mobile Security.
5. If your phone behaves strangely after uninstalling — battery draining fast, data usage spiking, unfamiliar notifications — perform a factory reset after backing up your photos and contacts.

A configuration profile was installed (iPhone)

1. Go to Settings → General → VPN & Device Management.
2. Tap the unrecognized profile and select Remove Profile.
3. Check Settings → General → VPN & Device Management → VPN and remove any VPN you didn't set up yourself.
4. Change your Apple ID password and Wi-Fi password as a precaution.

A TestFlight app was installed (iPhone)

1. Open the TestFlight app and find the app you didn't knowingly join. Tap Stop Testing, then delete the app from your home screen.
2. Change passwords for any accounts you accessed after installing the app.
3. Contact Apple to report the fraudulent TestFlight listing.

Why QR codes are used to push fake apps

Google and Apple's app stores have review processes that catch most malware. Attackers get around this by distributing apps directly via APK links (Android) or TestFlight (iOS) — and QR codes are the ideal delivery vehicle because they hide the destination URL until after your phone has already started loading the page.

Android devices are at significantly higher risk because the platform allows sideloading. If your browser has “Install unknown apps” enabled — a setting some apps request for legitimate reasons — an .apk file can be installed with as few as two taps. iOS is harder to exploit but not immune: MDM profiles and TestFlight apps can be installed through a browser without ever touching the App Store.

The most common targets are QR codes in public locations (parking kiosks, restaurant tables, gym equipment) and codes shared in social media DMs promising “exclusive” apps, games, or streaming access.

Frequently asked questions