1. A student can record only the attendance of himself/herself, so if they are doing it for other students, that means they are sharing usernames and password. No?
If that's the case, this a more serious problem than just recording attendance for other students.
2. You can set the QR code to rotate, and rotate fast enough so hopefully students won't be fast enough to share it effectively.
See the following settings in the Site Administration -> Plugins -> Activity modules -> Attendance area:
Rotate QR code/password interval (seconds) [attendance | rotateqrcodeinterval]
Rotate QR code/password expiry margin (seconds) [attendance | rotateqrcodeexpirymargin]
Of course you have to set the QR to rotate in the activity itself.
If you don't have this option and settings, maybe you are using an old version of the "Attendance" plugin.
3. If your students attend the campus physically, and you're not already using this option, check the "Require network address" [attendance | subnet] option and related settings. This way you can limit student to record attendance only while being connected to the campus Wi-Fi, for example.