[JeremyNT]

> Or anything from FDroid.

This is the best heuristic to apply not just for QR code scanning, but for pretty much everything. To avoid malware, avoid the Play Store.

When using f-droid, also check out the project web site and git repo (at least in a cursory way, even if you can't fully audit the code, you can get a sense of who the developer is and the project's overall health from the commit log and issue tracker).

[benboozled]

I'm largely in the dark when it comes to Android security. What makes F-Droid so much safer?

[marcodiego]

F-droid only accepts open-source apps. Apps with anti-features are also marked as such.

Play store should be only used for things that you can't work around with apps from f-droid.

[SAI_Peregrinus]

It's not truly safer. It's just smaller, and only has open-source apps. So it's harder to hide malware, but still certainly possible (nobody checks most apps).

[marcodiego]

It seems much safer. F-droid apps are finely curated open-source apps and anti-features are marked and easily avoidable.

[SAI_Peregrinus]

The issue is the "finely curated" statement. It's not a full code review, just "Wherever possible, applications in the repository are built from source, and that source code is checked for potential security or privacy issues. This checking is far from exhaustive though, and there are no guarantees."[1] After an app is added to F-Droid it gets built from source by the F-Droid build servers, but it does not generally get re-reviewed. It's perfectly possible to add the malware after the initial release. It's also possible (even easy) for malware to be missed by the limited code review. F-Droid is a little safer, but that doesn't mean it's particularly safe. It's no harder to get malware on F-droid than it is to get it into Arch or Debian or any other distro repository.

[1] https://f-droid.org/en/about/