Yes, that will work, until a scammer makes a clone of your website, and hands a merchant a QR code that redirects to his own website, that fakes a payment and makes it appear on-screen that a payment is being made, but in fact none is made and the bitcoins don't even exist. The Barcodes scanner application you referenced offers no capability of performing strict validation on the codes (the part I originally bolded in the OP), which is an important control on fraud. However, given that the app is open source, it could be modified by a developer to include such a feature.
Well, similar attack could be run for mtgox.com, bitmit.net or any web site which handles web sites... I don't see it as a big threat. I hope those malicuous clones won't be popping up.
And I think you are confusing things - the merchant who accepts those fake bitcoins doesn't need QR code scanner at all - he just receives the bitcoins (which would be fake if the attacker succeeds to make the merchant use the fake service). So modifying the QR code scanner won't help the merchant receiving the coins, since he doesn't even use the QR code scanning functionality.
But that kind of attack is why I always advertise my service as easywallet.org - I have that domain registered for a pretty long time and it is guaranteed to be mine. Maybe those attackers could try something like easywallet.info or like. But I hope that won't be a threat anytime soon.
