I Scanned a QR Code and It Took Me to the App Store — Is That a Scam?
A QR code sent you to the App Store or Google Play and now you're not sure whether that's normal or a sign of something malicious. The short answer: App Store redirects are common and the page itself is harmless — but what you install from it is a different story.
App Store redirects from QR codes are normal — up to a point
Brands use QR codes to drive app downloads all the time. A restaurant may display a QR code that points to their ordering app. A gym may put one on a welcome card that takes you to their class-booking app. A bank may include one in a mailer so you can install their mobile banking app.
In these cases, the QR code points directly to an App Store or Google Play listing for the official app. Landing on that listing is entirely safe. Apple and Google vet apps before listing them, and neither store can install anything on your device without you deliberately tapping Install (and authenticating with Face ID, Touch ID, or your password).
The risk is not the App Store redirect itself. The risk is what happens if you install the wrong app — and scammers know how to exploit that moment.
When an App Store redirect is a red flag
Attackers use QR codes to push fake lookalike apps. The pattern works because the App Store lends credibility — people assume anything listed there is safe. There are three main ways this scam plays out:
- Fake brand apps. A scammer creates an app named “Bank of America Mobile” or “PayPal Secure” with a similar icon. The app harvests your login credentials the moment you enter them. The App Store listing may look convincing at a glance — especially if the review count is suppressed.
- Malicious utilities disguised as tools. QR codes on parking kiosks, charging stations, or public signage sometimes link to apps described as “payment apps,” “Wi-Fi managers,” or “transit apps” that are actually credential stealers or adware. The legitimate payment system doesn't need a new app install at all.
- Unexpected redirects. If a QR code you scanned for a menu, a receipt, or a Wi-Fi sign sends you to an App Store page for something unrelated — especially a financial or communication app you weren't expecting — treat that as suspicious. Legitimate menus do not require installing apps.
How to check the App Store page before you tap Install
You have landed on the listing and haven't installed anything yet. That's the right moment to check. Run through this in thirty seconds:
- Check the developer name. It appears directly below the app title. For a major brand — Chase, PayPal, Starbucks — the developer should be the company itself, not an individual name or a vague entity like “App Solutions LLC.” If you don't recognize the developer, search for the app directly from the App Store instead of installing from this listing.
- Check the review count and rating. A legitimate app from an established brand typically has tens of thousands of ratings, sometimes millions. A fake app usually has very few — or an artificially low display because the listing is new. Swipe down to read recent reviews; look for complaints about the app stealing information or behaving unexpectedly.
- Check the release date and update history. Scroll to the “Version History” or “Information” section. A real banking or payment app has been in the store for years with regular updates. An app first released this month with no update history is a red flag.
- Ask yourself: does this make sense? If the QR code was for a restaurant menu and you are now looking at a financial app, close the listing. The redirect makes no sense and is almost certainly malicious.
When in doubt, close the listing entirely. Then go directly to the App Store and search for the app by the brand name yourself — that way you are guaranteed to find the official version.
What to do if you already installed the app
Do not enter any passwords, payment details, or personal information until you have verified the app is legitimate using the checks above.
If something about the app looks wrong — an unfamiliar login screen, requests for permissions that don't fit the app's purpose, or behavior you didn't expect — delete it immediately:
- iOS: Press and hold the app icon → Remove App → Delete App. Then go to Settings → Privacy & Security to review any permissions you may have granted.
- Android: Press and hold the app icon → App Info → Uninstall. Then check Settings → Apps → Permissions to revoke any access.
If you already entered credentials into a suspicious app, change the relevant password immediately from a trusted device. Enable two-factor authentication if you haven't already. Report the app to Apple (App Store listing → scroll to “Ratings & Reviews” → Report a Problem) or Google (Play Store → Flag as inappropriate).
For a complete recovery checklist covering every scenario, what to do if you scanned a suspicious QR code walks through each step in order.
Frequently asked questions
Is it safe if a QR code takes me to the App Store?
Landing on the App Store or Google Play page is not dangerous on its own — neither store installs anything without your explicit confirmation. The risk is in what you install. Before tapping Install, check the developer name, review count, and release history to confirm the app is the official version from the expected company.
How do I tell if an app in the App Store is fake?
Check the developer name — it should be the official company, not an individual or generic name. A legitimate app from a major brand will have tens of thousands of ratings and a multi-year history of updates. A fake lookalike typically has very few reviews and was recently published. When in doubt, close the listing and search for the app yourself in the App Store by brand name.
What should I do if I already installed the app?
Do not enter any credentials or payment info. Delete the app immediately (iOS: hold icon → Remove App; Android: hold icon → Uninstall), then review and revoke any permissions it was granted. If you already entered a password, change it on the real platform right now and enable two-factor authentication.
See where a QR code goes before it opens anything
QRsafer checks the destination URL against threat intelligence sources and shows you a Safe, Risky, or Dangerous verdict — before your browser or the App Store opens. Free on iOS and Android.