Can address scanning save me?

[MarryWithBTC]

Hello dear bitcoiners!

if i suspect that my mobile device might be infected, such that if i copy and paste an address, it could be replaced by a scammer. Then i decided to use the QR code and scan method, will I still be vulnerable?

[nc50lc]

Clipbpard hijacking malware are mostly specific to your clipboard.
While in-app address/URI QR code scanners usually are built to decode the QR and paste it directly to the intended text field, so it shouldn't be affected.
Of course, keep it a habit to double check the characters of your recipient's address.

However, if your device is infected, whether it's just clipboard hijacking malware:
Stop using the wallet that's installed in it, keep it offline, and use another device to send your funds to another wallet.

Do not ever trust a device that's already infected since it must have another malware or two.

[MarryWithBTC]

Clipbpard hijacking malware are mostly specific to your clipboard.
While in-app address/URI QR code scanners usually are built to decode the QR and paste it directly to the intended text field, so it shouldn't be affected.

i thought as much. i was being curious and ast the same time scared.

Of course, keep it a habit to double check the characters of your recipient's address.

i double check if the amount is below $50.
i triple check if it is above $100
then, i check ten times if it is above $1000 lol

However, if your device is infected, whether it's just clipboard hijacking malware:
Stop using the wallet that's installed in it, keep it offline, and use another device to send your funds to another wallet.

Do not ever trust a device that's already infected since it must have another malware or two.

Thank you. Best for my peace of mind.

[BitadzZ]

That's a good question, and part of why using a QR code can help prevent clipboard hijacking malware. The address isn't being pulled off your clipboard. However, using a QR code will NOT ensure your safety if your phone was already infected. Sophisticated malware may still intercept your transaction or manipulate your wallet app.

Best practice is:

• Always  verify first and last characters of the address after scanning.
• Use a trusted wallet app and ensure that your operating system is updated.

If you definitely think that you are infected, do not use that particular device for your transaction. Scanning helps, but most importantly, security matters.

[Charles-Tim]

If you scan the QR code, it will not be vulnerable just as it has been explained above, but it is very important to also test your device, making sure it is not affected by the clipboard malware. Copy the address, paste it somewhere to know if it changes. If it changes, it is better your format the device. Make sure you check where you backup seed phrase before doing that.

I still pretty much use the copy/paste, especially if I am using a single device. To save the QR code to the device and use it on the same device is not necessary for me when I make sure that I check the address that I am sending to very well before sending any coins.

Also if your device can be vulnerable to clipboard malware, what makes it not possible that it will not be vulnerable to other malware that are not clipboard but which can make your wallet vulnerable? It is good to try as much as possible to avoid malware also.

[DannyHamilton]

I've seen malware replace QR Codes.  The scanning on your device will probably be fine, but depending on where you are getting the QR Code from, it may be possible for that code to be incorrect.

[LFC_Bitcoin]

I’d throw that device in the bin and get a new one. I know it’s overkill and you can easily restore to factory settings but I need peace of mind. If I suspected a device I use for a significant amount of my holdings was compromised, I am extracting the private keys and binning it.

[BitMaxz]

I suggest learn to have a separate device for offline transaction just like mine. If you want to do the same, you can have a separate offline wallet on another phone as your hardware wallet device never connect it online and only use it to sign a transaction and another device for making unsign transaction. The wallet software I use is Electrum on both devices.
About the QR code, you can scan it from your offline wallet and review everything before signing it. Make it a habit because this method is more secure than just using it as a hot wallet, because there are lots of possible attacks while your device is connected online. Since your keys are in your offline device, you are far from most of the online attacks. Even if your online device is infected, you can always review the transaction from your offline device to determine if the QR code generated is hijacked or not. You can just ignore it or don't sign it when you notice a different address while reviewing the transaction from your offline device.

[EL MOHA]

Best practice is:

• Always  verify first and last characters of the address after scanning.

You know what this is exactly what the scammers what you to actually do, just verify the prefixes and the suffixes, they can easily just create a vanity address with the suffixes and prefixes been the same as yours as we have heard in the past from address copy and paste scams in the past. The best practice remains carefully checking every one of the addresses before proceeding to actually broadcast your transaction.

I am extracting the private keys and binning it.

The private keys extracted should not be permanently used too, because with the device infected there is chance keys and seed phrases are not save too so best is to sweep that wallet entirely into a new wallet on another new device. This way you’re sure the wallet isn’t infected too

[MusaMohamed]

Of course, keep it a habit to double check the characters of your recipient's address.

Checking a Bitcoin addresss characters before finalize a transaction broadcast is important for the transaction and fund safety.
How to lose your Bitcoins with CTRL-C CTRL-V.

Using Control C and Control V for copy and paste a Bitcoin address is easy practice but for OPSEC, spending some more seconds for checking characters can save us from mistakes and accidents during transaction broadcasting time.

[LoyceV]

Always  verify first and last characters of the address after scanning.

Did you pull this out of a chatbot? Read How to lose your Bitcoins with CTRL-C CTRL-V to see why this is a bad idea.

I’d throw that device in the bin

I'd throw it in a drawer Never dispose of devices that hold private information.

you can have a separate offline wallet on another phone as your hardware wallet device never connect it online

Phones are terrible for offline usage. To start: you can't really install that wallet without going online first. Things like "find my phone" or GPS trackers are hard to turn off, the thing will keep trying to connect somewhere.

If you want to sign offline, learn how to do it on a laptop. To get you started:

Online:
Install Electrum on your PC.
Import your address to create a watch-only wallet.
Preview the transaction, Copy the unsigned transaction. Put it on a USB stick.

Offline and running without hard drive storage:
Get a Linux LIVE DVD. Use Knoppix or Tails for instance, or any other distribution that comes with Electrum pre-installed.
Unplug your internet cable. Close the curtains. Reboot your computer and start up from that DVD. Don't enter any wireless connection password. Keep it offline.
Start Electrum. Import your private key.
Copy your unsigned transaction from the USB stick, load it into Electrum.
CHECK the transaction in Electrum. Check the fees, check the amount, check all destination addresses (character by character).
If all is okay, sign the transaction. Copy it back to your USB stick.
Turn off the computer. That wipes the Live LINUX from memory and all traces are gone.

Online:
Use your normal online Electrum to (check again and) broadcast the transaction.

Adjust the above depending on your needs, and make sure you know what you're doing before doing it.