Bogus Android Camera QR Code notification

Today I noticed an unusual silent notification supposedly coming from the default Samsung Camera app on my A70 Android phone.

The message reads:

‘Camera QR code scanned 11:46
Web page
Tap here to go to “joinxr.uk” in your browse…’

I say it’s unusual because at 11:46 today my phone was screenlocked and sitting in my trouser pocket. I had not used it from 09:30 to 12:15

Being suspicious that perhaps my phone had been hacked I contacted Norton support on their website Chat facility but after experiencing several closures of the chat window not performed by me and the technician not being able to take control of the device using the Rescue+ app due to the “control” session being terminated from my end, again not initiated by me, I decided to contact Norton support on the phone…

After getting through to the threat resolution specialist dept and relating the story again to the support rep (apparently not willing to look at the existing case log to get background info) I was told:

“not to worry just ignore it. It’s probably a notification that has come from your browser” He said that if I hadn’t allowed access to my phone by anyone or downloaded any dodgy apps I had nothing to worry about (which I hadnt). If that’s the case and that’s all you need to do then it begs the question as to whether we need to bother installing Norton360 on our Android devices at all…?!

Is this possible that someone can create a Camera app QR code notification via a browser (I’m using Edge) showing a link to any URL they want you to visit?

Shouldn’t Norton360 be stopping this kind of activity (if it is indeed possible) or at least even expressing an interest in it??

When I asked to be put through to someone else who might be a bit more interested I was promised a callback within 30 mins. Still waiting and TBH not holding my breath.

What are other peoples take on this whole thing?

The actual problem, the response and the suggested resolution…

Martin

Norton360 ver 5.56.0.230302003

Android ver 11
Kernel ver 4.14.190-24363203

Martin. Searching for "joinxr.uk" brings up many instances of a radical action group purported to be located in the UK. Related, COVID conspiracies and the like. On both my Galaxy Z-fold 4 and Galaxy A23-5G devices I DO NOT have a registered Samsung account and removed the default camera app when first setting up the devices because. There are serious issues with it, please read the article posted link below. If you do not use that app my recommendation is remove it. 

https://www.theverge.com/2023/3/16/23644013/samsung-exynos-modem-security-issue-project-zero

Conversely there are two outstanding CVE listings for Edge on Android. Have you updated/patched your Edge install on your device?

https://www.bleepingcomputer.com/news/security/android-march-2023-update-fixes-two-critical-code-execution-flaws/

Since your device also shows as a discontinued model Samsung may not be supporting nor releasing the patch(s) to correct the app issue on your device YET, although, you report you are on Android 11. Your model also shows as Qualcomm SDM675 Snapdragon 675 SOC which is most likely not vulnerable per the article. That being said, more likely than not you have experienced a browser or other notice attempting to have you open a website for the sole reason of possibly gaining access to your device. Support would be correct to state that IF, you haven't interacted with the notification you are likely not at risk. 

Clear your devices caches and reboot it. If you see this reappear then there is something to be concerned about. Otherwise its just a one off issue. 

SA