Malware could potentially cause your airgapped computer to sign your transaction in a way that reveals a portion of your seed and/or private key to someone who knows where to look based on the malware. To anyone else, the transaction would look completely normal.
That is only fantasy talking unless you can show me some proof of that ever happening, and there is no way that seed words or private key could be exposed with QR codes.
Issue with QR code encoded malware is file size. A QR code offers extremely limited space, so it'd be super hard to transfer an actual piece of malware software - I'd dare to say impossible - over a single QR code. An input that leads to unexpected program behaviour? Maybe! It can be tried using fuzzing. You'd run the firmware in
qemu, then pass it millions of codes per second and see if you can trigger some buffer overflow or similar. But that's not malware, at least in the definition of 'a piece of software that causes harm', because that just takes too much space to begin with.
By the way; a quite entertaining video about fitting a game into a QR code:
https://www.youtube.com/watch?v=ExwqNreocpgIt's not so trivial to make any software, not to mention a sophisticated piece of malware, this compact.
A Hardware wallet such as a trezor for example offers much better security against malware. There are some potential security concerns with a trezor if an adversary were to have physical access to the device, but most people are more vulnerable to a $5 wrench attack, IMO.
Wrong.
Trezor wallet is fine for general use but it does not offer ''much better'' security against any malware, and it is inferior to any airgapped device, and this is not just my fantasy thinking.
One big issue I see with devices that use USB for firmware updates is that they have actually built-in mechanisms to replace the firmware via, well, USB. So that's already much easier for an attacker who likes to replace or modify the firmware with a malicious firmware (malware), because they can use the same 'gateway'. Any time you plug in your device, an attacker might try to exploit the update mechanism to change your firmware.
It would already be much better if non-airgapped devices that even have a microSD card slot already, used that for firmware updates exclusively and removed any code that allows to transfer firmware over USB. Since you don't update it so often, it wouldn't be a big inconvenience for the users and the attack surface would be greatly reduced..
Imagine: the device could be coded to reject anything sent over USB that is not a PSBT, so that would be already the first hurdle to overcome if one would like to try injecting or replacing the firmware when a user plugs in the device.
maybe Trezor is real air-gapped, with a new update, we can generate a wallet without using the internet (suite)
That's now possible with the latest Trezor Suite and/or firmware, but Ledger still uses USB cables, which could represent a possible attack vector. You are still connecting your Trezor hardware wallet to an online computer through its USB port.
But this is done with ledger nano as well.
You can recover and generate your wallet seed without using the internet.
That's not the definition of an air gap though. Actually,
every hardware wallet generates wallet seed without using the internet. Otherwise it would be an extremely crappy device that should never be used by anyone. For sending a transaction, you need to connect the ledger to an online PC otherwise how do you publish it? In the case of air gapped wallets, you send the transaction over QR to the online device, so the wallet is never connected to an internet-connected machine.