Can address scanning save me?

[MarryWithBTC]

Hello dear bitcoiners!

if i suspect that my mobile device might be infected, such that if i copy and paste an address, it could be replaced by a scammer. Then i decided to use the QR code and scan method, will I still be vulnerable?

[nc50lc]

Clipbpard hijacking malware are mostly specific to your clipboard.
While in-app address/URI QR code scanners usually are built to decode the QR and paste it directly to the intended text field, so it shouldn't be affected.
Of course, keep it a habit to double check the characters of your recipient's address.

However, if your device is infected, whether it's just clipboard hijacking malware:
Stop using the wallet that's installed in it, keep it offline, and use another device to send your funds to another wallet.

Do not ever trust a device that's already infected since it must have another malware or two.

[MarryWithBTC]

Clipbpard hijacking malware are mostly specific to your clipboard.
While in-app address/URI QR code scanners usually are built to decode the QR and paste it directly to the intended text field, so it shouldn't be affected.

i thought as much. i was being curious and ast the same time scared.

Of course, keep it a habit to double check the characters of your recipient's address.

i double check if the amount is below $50.
i triple check if it is above $100
then, i check ten times if it is above $1000 lol

However, if your device is infected, whether it's just clipboard hijacking malware:
Stop using the wallet that's installed in it, keep it offline, and use another device to send your funds to another wallet.

Do not ever trust a device that's already infected since it must have another malware or two.

Thank you. Best for my peace of mind.

[Charles-Tim]

If you scan the QR code, it will not be vulnerable just as it has been explained above, but it is very important to also test your device, making sure it is not affected by the clipboard malware. Copy the address, paste it somewhere to know if it changes. If it changes, it is better your format the device. Make sure you check where you backup seed phrase before doing that.

I still pretty much use the copy/paste, especially if I am using a single device. To save the QR code to the device and use it on the same device is not necessary for me when I make sure that I check the address that I am sending to very well before sending any coins.

Also if your device can be vulnerable to clipboard malware, what makes it not possible that it will not be vulnerable to other malware that are not clipboard but which can make your wallet vulnerable? It is good to try as much as possible to avoid malware also.

[DannyHamilton]

I've seen malware replace QR Codes.  The scanning on your device will probably be fine, but depending on where you are getting the QR Code from, it may be possible for that code to be incorrect.

[LFC_Bitcoin]

I’d throw that device in the bin and get a new one. I know it’s overkill and you can easily restore to factory settings but I need peace of mind. If I suspected a device I use for a significant amount of my holdings was compromised, I am extracting the private keys and binning it.

[BitMaxz]

I suggest learn to have a separate device for offline transaction just like mine. If you want to do the same, you can have a separate offline wallet on another phone as your hardware wallet device never connect it online and only use it to sign a transaction and another device for making unsign transaction. The wallet software I use is Electrum on both devices.
About the QR code, you can scan it from your offline wallet and review everything before signing it. Make it a habit because this method is more secure than just using it as a hot wallet, because there are lots of possible attacks while your device is connected online. Since your keys are in your offline device, you are far from most of the online attacks. Even if your online device is infected, you can always review the transaction from your offline device to determine if the QR code generated is hijacked or not. You can just ignore it or don't sign it when you notice a different address while reviewing the transaction from your offline device.

[EL MOHA]

Best practice is:

• Always  verify first and last characters of the address after scanning.

You know what this is exactly what the scammers what you to actually do, just verify the prefixes and the suffixes, they can easily just create a vanity address with the suffixes and prefixes been the same as yours as we have heard in the past from address copy and paste scams in the past. The best practice remains carefully checking every one of the addresses before proceeding to actually broadcast your transaction.

I am extracting the private keys and binning it.

The private keys extracted should not be permanently used too, because with the device infected there is chance keys and seed phrases are not save too so best is to sweep that wallet entirely into a new wallet on another new device. This way you’re sure the wallet isn’t infected too

[MusaMohamed]

Of course, keep it a habit to double check the characters of your recipient's address.

Checking a Bitcoin addresss characters before finalize a transaction broadcast is important for the transaction and fund safety.
How to lose your Bitcoins with CTRL-C CTRL-V.

Using Control C and Control V for copy and paste a Bitcoin address is easy practice but for OPSEC, spending some more seconds for checking characters can save us from mistakes and accidents during transaction broadcasting time.

[LoyceV]

Always  verify first and last characters of the address after scanning.

Did you pull this out of a chatbot? Read How to lose your Bitcoins with CTRL-C CTRL-V to see why this is a bad idea.

I’d throw that device in the bin

I'd throw it in a drawer Never dispose of devices that hold private information.

you can have a separate offline wallet on another phone as your hardware wallet device never connect it online

Phones are terrible for offline usage. To start: you can't really install that wallet without going online first. Things like "find my phone" or GPS trackers are hard to turn off, the thing will keep trying to connect somewhere.

If you want to sign offline, learn how to do it on a laptop. To get you started:

Online:
Install Electrum on your PC.
Import your address to create a watch-only wallet.
Preview the transaction, Copy the unsigned transaction. Put it on a USB stick.

Offline and running without hard drive storage:
Get a Linux LIVE DVD. Use Knoppix or Tails for instance, or any other distribution that comes with Electrum pre-installed.
Unplug your internet cable. Close the curtains. Reboot your computer and start up from that DVD. Don't enter any wireless connection password. Keep it offline.
Start Electrum. Import your private key.
Copy your unsigned transaction from the USB stick, load it into Electrum.
CHECK the transaction in Electrum. Check the fees, check the amount, check all destination addresses (character by character).
If all is okay, sign the transaction. Copy it back to your USB stick.
Turn off the computer. That wipes the Live LINUX from memory and all traces are gone.

Online:
Use your normal online Electrum to (check again and) broadcast the transaction.

Adjust the above depending on your needs, and make sure you know what you're doing before doing it.

[MarryWithBTC]

I've seen malware replace QR Codes.  The scanning on your device will probably be fine, but depending on where you are getting the QR Code from, it may be possible for that code to be incorrect.

This is my fear, but I believe that for malware to replace QR codes, it must be a high malware that not an everyday scammer will be able to have.

[promise444c5]

I've seen malware replace QR Codes.  The scanning on your device will probably be fine, but depending on where you are getting the QR Code from, it may be possible for that code to be incorrect.

This is my fear, but I believe that for malware to replace QR codes, it must be a high malware that not an everyday scammer will be able to have.

Malware is malware, and it is designed for a purpose.

Depending on what you are using the QR code for, you can always verify it on the device that scanned it to confirm the details are correct, for example an address QR code. On the second device, you will see the full details, so verify the address again before constructing your transaction.

[nc50lc]

I've seen malware replace QR Codes.  The scanning on your device will probably be fine, but depending on where you are getting the QR Code from, it may be possible for that code to be incorrect.

This is my fear, but I believe that for malware to replace QR codes, it must be a high malware that not an everyday scammer will be able to have.

You concern is about an example device where there's a clipboard hijacking malware.
For the QR code replacement to happen, the recipient's device should be the one that's infected which is not in your control.

In case where you're still willing to use a clipboard malware-infected device despite all the warnings we've mentioned:
Just do not use any third-party scanners to decode the QR code and use your wallet's in-app scanner.
If you're provided with a wrong QR Code by the recipient due to a malware on his device and he didn't show the correct bitcoin address for you to double-check, it should be on him, not your fault.

[BattleDog]

QR codes help with clipboard malware but they're not magic. If your device is compromised enough, malware can hook into the QR scanner itself or mess with what gets displayed on screen after scanning.
The only real answer is: don't sign transactions on a device you don't trust. If you think it's infected, assume everything on that device is compromised - what you see, what you copy, what you scan. Use a clean device for signing or go full airgap.
Always verify addresses on the hardware wallet screen itself, not on your computer or phone. That's the whole point of having one.

[Charles-Tim]

If you think it's infected, assume everything on that device is compromised - what you see, what you copy, what you scan. Use a clean device for signing or go full airgap.

You have good points but it is worth knowing that wallet on an airgapped device can scan compromised QR code. The problem is not the airgapped device nor wallet on the airgapped device, the problem is where the QR code is generated, first sent to or using third-party scanner on an online wallet.

If the QR code is generated on the wallet, there is no problem by using the wallet scanner or airgapped device scanner to receive the PSBT and sign it directly.