From the McAfee blog:
Last year a friend had a bright idea for a party game that involved a series of QR codes  in a circle on paper. He called it QR Code Roulette. Unlike the  gambling game, selecting the right 2D barcode did not make you a winner.  It turned out that every QR code contained a URL to an Internet shock site.  As soon as I or our other friends scanned a QR code with our phones we  witnessed things that probably can’t be unseen. This was a good prank,  but fortunately due to my distrust of autoloading and autorunning code I  had an app that previewed the URL. If the address were a risky site or  malware download I could choose not to visit the URL.
 
 
These  QR codes are safe. They point to McAfee mobile security downloads and  our Virus Information Library. To verify, download one of the QR code  apps mentioned and view the preview URL.
My friend’s little joke drove home the necessity of not blindly  scanning every QR code I run across. Some of my colleagues aren’t as  lucky. I was discussing a recent threat of malware distributed by QR  codes with a couple of coworkers who are penetration testers. They test  the security of their clients’ networks and systems nearly daily and are  very skilled computer security professionals. Although both of them had  QR code-scanning apps on their phone, neither had one that could  provide a preview of the URL. I ended up suggesting a couple of free  barcode-scanning apps that would keep them from being unpleasantly  surprised.
Although distributing mobile malware through QR codes is becoming popular, it’s not a new idea. Security researcher Felix “FX” Lindner described similar attacks about three years ago at the 24th Chaos Communications Congress and DefCon 16. FX claimed that newspaper ads with QR codes are trusted implicitly by readers (“It’s in print; it must be true”) and would make a good vector for exploits and malware. The functionality that enabled the attacks was the automatic loading and following of URLs in QR codes. Point your phone at the QR code and you end up downloading mobile malware.
 
|  | 
| In 2007-2008 FX publicly painted a number of scenarios in which QR codes could be used maliciously. We have since seen malicious QR codes that link to mobile malware. 
 
 
 | 
The risk from such downloaded malware is still relatively low, as these are not drive-by downloads. Users would still need to choose to install the JAR or APK files on their smartphones. The risk from exploits, though, is one to worry about. An attacker who places a link to a modified Apple iOS jailbreak exploit or an Android root exploit can take over a victim’s device or steal sensitive information (emails, social network credentials, credit card numbers, etc.). 
As I told my two colleagues, there are a number of free QR code- and  barcode-scanning apps with preview functions for both Android and Apple  iOS. The following are my suggestions for safer QR code scanners:
 
Google Android
Apple iOS
Protecting yourself from malicious QR codes and avoiding shock sites,  mobile malware, and exploits doesn’t have to be too difficult.
- Use a mobile QR code-/barcode-scanning app that previews URLs
- Avoid suspicious URLs (for example, domains that don’t match ads, shortened URLs)
- Do not play “QR Code Roulette” 