In the real world, this attack would likely have been far more effective since these researchers were handcuffed by ethical research rules. Attackers could place QRcodes over existing ones or deface public property like parking meters. Heck, who wouldn't scan a QR code stick that had been placed on the neighborhood cat?
With the incredibly long and spurious patch cycle for today's Android devices, scanning a QR code could result in a bad guy having complete control of your mobile phone. Be wary next time you see one of these codes, certainly use a reader app that at least shows you the URL before launching your, probably old, browser!