Comment No more dangerous than URL shortening services (Score 2) 234
Depending on how your phone scanner app is configured, QR code URL content may be shown on the screen as a link you can choose whether or not to open. But the links are often shortened so as to make for a smaller or less dense QR code box. And that puts this "risk" in the same category and amount as following any other bit.ly "mystery meat" link that resolves on the redirect service in a redirect to the real destination.
If your browser is built like shit and visiting a "maliciously constructed" webpage can cause code execution on your system, well that's still not a problem with the QR code technology.
QR is vulnerable to "spoofing" in the sense that for example a printed advert with a link on it to download an endorsed phone app - could with a cheaply produced sticker placed over the legitimate code become corrupted so the new code points to some other app. With Android's allowance for un-regulated third-party app installations, there is some concern there that this could lead to unwitting users downloading and installing a malicious app that masquerades as the endorsed, legitimate one.
The solution here could be to extend the established Android app signing system to have an "advisory" service that ranks the credibility of the individual app signing developers and publishers and as part of the app installation process can give you a heads-up hey wait a minute this app publisher has a strongly negative trust ranking maybe you shouldn't install it.
I want nothing like Apple's walled garden, but a voluntary model where you can get a "green seal" as a trustworthy app publisher and specifically trusted apps, might go a long way.