I Scanned a QR Code and My Phone Got Hacked — What to Do Now

What “getting hacked” actually means in a QR code context

The word “hacked” covers a wide range. In the context of a QR code scan, there are three meaningfully different things that could have happened, and only some of them are serious.

• Your credentials were phished. The QR code took you to a page that looked like a real login — your bank, Google, Apple ID, or a payment app. If you typed your username and password, the attacker now has those credentials. Your phone itself is not compromised, but your account is.
• You installed a malicious app. The QR code directed you to download an app outside the App Store or Google Play. Sideloaded apps on Android can access your files, contacts, camera, and microphone. On iOS, this is much harder — Apple's sandboxing prevents most sideloading — but enterprise certificates and MDM profiles can be exploited.
• You only visited a suspicious page. If the QR code opened a web page and you looked at it, maybe felt uneasy, then closed it — without entering any information, approving a download, or granting permissions — your risk is low. A web page alone cannot access your phone's data, install apps, or steal passwords.

There is a fourth, rare scenario: browser exploit kits that attack unpatched vulnerabilities silently on page load. These exist but are uncommon in consumer QR scams and require your browser to be significantly out of date. Keeping iOS and Android updated closes these attack surfaces.

Signs your phone may actually be compromised

If you're seeing any of the following after a suspicious scan, take them seriously:

• Apps you don't remember installing appearing on your home screen or in Settings → Apps
• Battery draining faster than usual, even when you're not actively using the phone
• Mobile data usage spiking with no obvious cause (check in Settings → Cellular or Mobile Data)
• Your phone running warm at idle — a sign of background processing
• Contacts receiving texts, emails, or social messages from you that you didn't send
• Accounts showing login activity from unfamiliar locations or devices
• New email filters or forwarding rules you didn't set

None of these symptoms alone is proof — batteries degrade, apps misbehave, and background sync can spike data. But a cluster of them appearing shortly after a suspicious scan is a clear signal to act.

What to do right now

Your response should match what happened. Work through these steps in order.

If you entered credentials on the page

1. Go directly to the real website — type the address yourself — and change your password immediately.
2. Sign out of all active sessions (most platforms offer “sign out everywhere” in security settings).
3. Enable two-factor authentication if it isn't already on.
4. If it was a financial account, call the number on the back of your card or your bank's fraud line and report it.
5. Check whether you reuse that password elsewhere and change it on every site where it appears.

If you approved a download or app install

1. Find and uninstall the app immediately: Settings → Apps (Android) or Settings → General → iPhone Storage (iOS).
2. Check app permissions for any recently installed apps that seem to have access to contacts, location, camera, or microphone they shouldn't need.
3. Change passwords for your email and any financial accounts as a precaution.
4. Run a scan with a reputable mobile security app (Malwarebytes, Bitdefender) on Android — iOS has fewer options but fewer risks too.
5. If behavior continues, perform a factory reset. Back up photos and contacts to iCloud/Google first, and be selective about which apps you reinstall.

If you only visited the page and closed it

1. Close the tab if it's still open.
2. Clear your browser history and cache: Safari → Settings → Clear History and Website Data; Chrome → Settings → Privacy → Clear browsing data.
3. Monitor your accounts for unusual activity over the next 24–48 hours.
4. No password changes are necessary unless you entered credentials.

How to prevent this from happening again

The core problem with QR codes is that you cannot see their destination before scanning. Every time you point your camera at a code, you're trusting that whoever placed it is honest — and attackers know this.

• Use a scanner that shows the URL before opening it. QRsafer intercepts the destination, checks it against threat intelligence databases, and returns a Safe, Risky, or Dangerous verdict before your browser loads anything. A phishing page won't pass that check.
• Always read the URL after scanning. Even with a clean safety verdict, glance at the domain. Look for misspellings, extra hyphens, or unfamiliar extensions — classic signs of a lookalike phishing domain.
• Never log in through a page you reached by scanning a QR code. If a page asks for your credentials, navigate to that platform directly by typing the address yourself.
• Never install an app via a QR code. Real apps are distributed through the App Store or Google Play. Any QR code directing you to download an app from a website is a major red flag.

For a complete guide to what malicious QR codes can and can't do, what happens if you scan a fake QR code walks through every scenario in plain language.

Frequently asked questions