Scanning QR code image is a popular way to enter information into smart phones, thanks for open source scanning libraries such as ZXing ("Zebra Crossing"). For example, QR code helps smartphone users when they download apps from Google Play or access a web site. It has also become a key component of O2O (online to offline) commerce framework. However, if an app does not handle QR code scanning properly, user information may leak. In this paper, we demonstrate how Android apps, e.g. apps developed by well-known retailers Walgreen and Costco, breach sensitive user data when scanning a series of carefully designed QR images. We discuss attacks which utilize loopholes in the apps in conjunction with Android vulnerability CVE-2014-1939. We also cover the exploitation of these vulnerable apps along with social engineering techniques for the attackers to harvest password or credit card information from your phone.