It could be an AV engine doing it. Some phishing attacks have switched to using QR codes instead of links as an evasion technique in the last couple of years, so the anti-evasion to that is decode it and browse the link to see if it's malicious.
The language used throughout this thread is terrible; "better click on it" you think an AV is literally loading up a full browser and forcing it to navigate to a random link it finds in a QR code on an image?
Even the title uses the word "executed" as if a QR code is "runnable" in some way; it's not. QR code related hacks are not some magical "scan this image and get pwnd", they're related to browser exploits and other methods of forcing code execution by way of the browser.
To my knowledge there have never been any "offline" QR code hacks, where simply scanning the QR code itself has ever lead to an exploit. AV is generally dumb, but simply converting a QR code itself is harmless.
No, I don't think it's loading up a full browser - I think it's sending an HTTP request and then parsing the results to some degree. To whatever extent the HTTP request mechanism is secure, and the parsing mechanism is secure, it's secure. But you don't need a browser to have security holes - anything parsing random data from the internet could be a vector.
That said, I agree - parsing the QR code itself isn't really a vector I'd worry much about.
If you've ever seen Tavis Ormandy and P0's analysis of AV software, you know this isn't actually far-fetched. A lot of these products have horrifying vulnerabilities.
