An Introduction to Carding and Mobile App Vulnerabilities
Carding is a form of cybercrime in which attackers (carders) steal payment card data, such as the card number, expiration date, CVV code, and the cardholder's personal information, to conduct fraudulent transactions. Mobile apps, especially financial ones (banking apps and payment systems like Google Pay or Apple Pay), are an attractive target due to their widespread use and the storage of sensitive information. According to reports such as "In Plain Sight: The Vulnerability Epidemic in Financial Mobile Apps" by Aite Group, up to 97% of financial mobile apps have critical vulnerabilities that allow reverse engineering of the code and access to sensitive data. These vulnerabilities arise from weak design, outdated libraries, lack of encryption, and insufficient testing. For educational purposes, we will examine how carders exploit these vulnerabilities, but without step-by-step instructions—the focus is on understanding the mechanisms to raise security awareness.Basic methods of exploiting vulnerabilities
Carders use a combination of technical and social methods. Here's a detailed breakdown of key approaches, based on an analysis of real-world threats.- Interception of data in transit (Man-in-the-Middle attacks, MITM):
- Mobile apps often communicate with servers via APIs, and if strong encryption (such as TLS 1.3 with certificate pinning) isn't used, carders can intercept the traffic. Weak encryption algorithms, such as MD5, or improper implementations of strong encryption algorithms have been detected in 80% of financial apps, allowing data, including card numbers and payment tokens, to be decrypted in transit.
- How it works: Attackers use proxy tools to spoof connections, especially on unsecured networks (e.g., Wi-Fi). In mobile apps without certificate pinning, carders can inject a fake certificate, capturing card input data. This is especially relevant for payment apps, where data is transmitted without end-to-end encryption.
- Risk: Complete session theft, including OTPs (one-time passwords) for two-factor authentication.
- Exploitation of unsafe data storage:
- Many apps store card data unencrypted or weakly protected on the device (in local storage, cache, or even the clipboard). Research shows that 83% of apps use insecure data storage outside of a sandbox, making the data accessible to other apps or malware. On rooted or jailbroken devices, carders can easily extract this information.
- How it works: Carders inject malware (for example, through phishing apps) that scans the file system. Ninety percent of apps exhibit unintended data leakage, where services share data with other apps potentially controlled by attackers. This allows them to steal stored tokens or full card data without user input.
- Risk: Long-term access, including automatic filling of payment forms.
- Malicious code injection and exploitation:
- Vulnerabilities such as SQL injection (60% of apps expose database parameters) allow manipulation of backend requests, extracting card data from servers. Carders also exploit weak WebView components in apps by injecting JavaScript to capture input.
- How it works: Carders use outdated payment system SDKs (software development kits) or third-party libraries to inject code that logs keystrokes or intercepts forms. Reports indicate that reverse engineering takes an average of 8.5 minutes, exposing API keys and private certificates for further attacks.
- Risk: Large-scale leaks, as in cases of malware disguised as legitimate updates.
- Phishing and social engineering in applications:
- The lack of strong authentication (such as biometrics or 2FA) allows carders to use overlay attacks: malware overlays fake login screens on top of the real app, capturing card data.
- How it works: Users are tricked by push notifications or fake updates, prompting them to enter their credentials. Combined with voice phishing (vishing), carders steal credentials and then link the cards to mobile wallets.
- Risk: Direct access to accounts leading to fraud such as account takeover or synthetic identity fraud.
- NFC and mobile payments exploitation (example: Ghost Tap):
- The Ghost Tap technique uses the NFCGate tool to relay NFC traffic between devices, allowing the theft of funds from cards linked to mobile payments (Google Pay, Apple Pay). Carders first steal data through malware (overlays or keyloggers), then emulate an NFC tag on one device and read it on another.
- How it works: Data is relayed to a mule (a proxy), who makes purchases in the store while the original device is in airplane mode. This bypasses anti-fraud mechanisms, allowing transactions to be made simultaneously in multiple locations. The evolution of fast networks and weak checks at POS terminals facilitate this.
- Risk: Large-scale cash-out, including the purchase of gift cards, without the physical presence of the carder.
- Supply chain and third-party component attacks:
- Carders attack app dependencies (libraries, SDKs) by injecting malicious code. The lack of binary protection in 97% of apps makes this easier.
- How it works: Infected libraries collect input data or tokens. In financial apps, this leads to exposure of private keys (27% of cases), allowing offline password cracking and session decryption.
- Risk: System leaks affecting millions of users.
Consequences and real-life examples
Consequences include financial losses, identity theft, and fraud. For example, in the US and Europe, retail banking apps have the highest number of critical vulnerabilities leading to data theft. Ghost Tap has evolved on the dark web, enabling theft on a global scale. Historically, leaks like Equifax (2017) demonstrated how weak mobile interfaces exacerbate problems, but modern threats focus on NFC and malware.Protective measures
For developers:- Implement code hardening, obfuscation, and runtime protections to prevent reverse engineering.
- Use strong encryption (AES-256), certificate pinning and secure storage (Keychain on iOS, Keystore on Android).
- Conduct regular audits, penetration testing, and SDK updates. Avoid hard-coded secrets.
- Implement threat detection to detect malware and anomalous behavior.
For users:
- Use only official apps from trusted stores, update your OS and apps.
- Enable biometrics, 2FA, and monitor transactions. Avoid rooting/jailbreaking.
- Do not enter data in suspicious forms; use virtual cards for online payments.
- Monitor credit reports and set alerts for suspicious activity.
This overview is based on an analysis of reports and threats for 2024–2025. For a more in-depth study, we recommend consulting the OWASP Mobile Security Project or cybersecurity reports. If you need clarification on a specific aspect, please ask!