Once the QR code has been scanned and has become active, malicious JavaScript can then simulate login portals, exfiltrate data via hidden forms and fingerprint devices for further exploitation.

Over 25% of malicious JavaScript code is obfuscated by so-called 'packers', a software packaging method that has given attackers a way of evading signature-based detection, according to security ...

The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects.