That seems quite difficult to combat. Especially if there is a 0 day exploit based in the web browser for iOS or Android devices that attackers could use for their nefarious purposes.

Not sure about Android, but on iOS, when one scans a QR code it shows the web address on the screen that the user then taps on. For the average user, I doubt that they are going to question what the URL is before following through to the website.

Perhaps Apple and Google could implement a sort of verification that a link is suspect or not, and prompt the user to either proceed or not. Anti-phishing blocklists are a thing, so it would seem that it wouldn’t be too difficult. Though that would not stop domains that have not been added to the blocklists from passing the verification attempts.