Good research, but...
... some of the scenarios are somewhat constructed.
His tactic for such tokens was to surreptitiously turn on a smartphone’s front-facing camera to photograph the reflection of a QR code in a point of sale scanner’s protective cover. This attack also detects the configuration of the QR code and subtly changes its appearance to make it unreadable. The malware running the attack on the smartphone, however, manages to retain a perfect and usable QR code.
OK, so the targeted phone has already been compromised to such a level that the attack app has control over the screen. What's the point then to use the camera to try and catch the code? Why not just get it from a screengrab?
The technique can also be used to craft malicious QR codes that, when used for smartphone-to-smartphone payments, see the victim machine directed to download and run malware.
That's a vuln in the target smartphone's payment app. If it expects a payment token, and gets a "http:..." instead, it probably won't blindly say "oh, hey, why not, let's visit that site..."
All interesting techniques, and good that he did that research, but not very close to see that in the wild. Way more likely (and easier) to attack the payment service (for example with POS malware) directly.