Carding via in-car infotainment systems and gas station skimming: A new arena for digital robbery

[Good Carder]

From carder to carders. While you're storming payment gateways through your browser, another army of carders has long since switched to a new target: cars, gas stations, and electric vehicle infrastructure. Over 90% of new cars in the US are equipped with Android Auto or Apple CarPlay, and millions of drivers scan QR codes at gas stations every day, insert their cards into ATM slots, and don't even realize that their "secure" smartphone key is acting as a relay for your terminal. Skimming gas station terminals, spoofing QR codes, NFC relaying via Android Auto, CarPlay vulnerabilities, and exploiting electric vehicle charging stations — all this is your new testing ground. In 2026, these channels will generate more profit than traditional in-store carding. The "Ghost Tapped" scheme turns the victim's Android smartphone into your personal payment gateway. And 5G integration makes it possible to remotely steal tokens directly from the dashboard. This article presents a card of military operations. Weapons, targets, tactics, and OPSEC. Forget the browser. Your new battlefield is on wheels.

Part 1. Android Auto and Apple CarPlay: When the Smartphone Becomes the Gateway​

Android Auto and Apple CarPlay aren't just "screen projection." They're deeply integrated systems that transmit data from your phone to the onboard computer. For a carder, this means an expanded attack surface: if you gain access to the CarPlay module, you potentially gain access to both stored payment data and vehicle control.

1.1. Architecture: Bluetooth, USB, iAP2, and Hidden Threats​

Android Auto and Apple CarPlay use multiple communication channels:

• USB is the most common, but requires physical contact.
• Bluetooth - for wireless connection, vulnerable to pairing attacks.
• Wi-Fi - for streaming (CarPlay uses AirPlay as a transport), can be compromised via fake access points.
• iAP2 is Apple's proprietary protocol for CarPlay that uses one-way authentication, making it easier to create counterfeit devices.

Researchers discovered 23 vulnerabilities (17 Common Vulnerabilities and Exposures) in Apple's AirPlay stack, including CVE-2025-24132 — a stack buffer overflow that allows arbitrary code execution on the CarPlay module via USB, Bluetooth, or even the internet. A patch was released in April 2025, but as of September 2025, "only a few manufacturers have integrated it into their products." This means millions of cars are still vulnerable.

1.2. Exploiting CVE-2025-24132: USB Hacking​

Attack algorithm:

1. Preparation: Create a USB device that emulates an iPhone.
2. Connection. The device connects to the car's CarPlay port.
3. Exploit: A specially crafted iAP2 packet causes a buffer overflow.
4. Backdoor installation. Malware is installed on the infotainment system.
5. Data access. Malware intercepts saved payment data, tracks, contacts, and can affect display.
6. Remote access. Through a backdoor installed, an attacker can connect to the system remotely, even while the vehicle is moving, and send commands to display fake payment interfaces.

1.3. Android Auto and Zombie Apps: Third-Party App Stores as a Path to Infection​

Google blocks certain categories of apps in Android Auto (such as video players), but bypassing them through third-party stores (AAAD, Fermata) poses risks. These apps are often installed not from Google Play, but through APK files downloaded from forums. In 2026, a modified version of Fermata Auto was found to contain a Trojan that intercepted payment data when the phone connected to Android Auto. Trusting such apps raises suspicions that the developer charges a fee for access and may distribute malicious code for free.

Part 2. Gas Station Attacks: Skimming, QR Code Pranks, and Fake Terminals​

Gas stations are the perfect place for a combination of low-tech skimming and modern digital attacks. According to FICO, attacks on gas station payment terminals increased by 90% by 2025.

2.1. Skimming and shimming at gas stations: the magnetic stripe is not dead​

Despite the transition to chip-based payment systems, many gas stations in the US and Europe still use outdated terminals that accept magnetic stripes. Skimmers can be installed at gas stations in seconds. Outdoor pumps are perfect targets. Skimmers can be installed there in seconds; they are invisible to the driver and can operate for weeks, collecting data from every card swiped through the pump.

Shimming: Thin devices are inserted into the slot, reading the chip data. It is impossible to detect a shimmer without opening the terminal.
PIN pad overlays: Cameras or membrane keypads over the original ones for recording PIN codes.
Bluetooth skimmers: Allow you to upload stolen tracks remotely, without returning to the station.
Card cloning: Collected data (tracks 1 and 2) is written to blank plastic using the MSR605. The clone works in terminals without a chip.

2.2. QR code swapping (Quishing): payment gateway substitution​

With the development of contactless payments, QR codes for app payments have appeared at gas stations. Criminals print counterfeit QR stickers and affix them over real ones. Drivers scan the code, thinking they've reached a payment page, but are instead redirected to a phishing site where they enter their card details (CVV, expiration date, number) — and these details are stolen.

Good old skimming is still popular — clones, overlays, and shimmers collect tracking information and PIN codes. But there's also a scheme that involves replacing QR codes: a sticker over the original leads to a phishing page simulating a payment gateway. The intercepted data is then used for standard carding. In one case in India, two men were arrested for using counterfeit payment apps that displayed a fake successful payment screen while the real funds were being transferred to controlled accounts.

2.3. NFC Relay via Android Auto (Ghost Tapped)​

Ghost Tapped is a Trojan that turns an Android smartphone into an NFC signal repeater. As of March 2026, over 54 variants were identified and actively sold on darknet Telegram markets.

Here's how it works:

1. Infection. The victim installs a phishing app (for example, a fake bank update or an Android Auto booster).
2. Permission request. The app is requesting access to NFC.
3. Relay. When the victim's phone is near a terminal (at a gas station or store), the Trojan activates and relays the card's signal (or stored token) to a remote terminal controlled by the attacker.
4. The payment is debited from the victim's card, even though the victim did not even apply the card.

Ghost Tapped is most dangerous when paired with Android Auto, when the phone is always connected to the car and within range of NFC terminals (for example, at gas stations with contactless payment terminals at the pumps). The Trojan activates automatically, and the victim is unaware that their card has been stolen along with the gas.

Part 3. Electric Charging Stations and Other Targets: The Evolution of Payments​

Electric vehicles are a new, rapidly growing target. Charging stations use apps for payment and are often vulnerable due to their internet connection.

3.1. Cybersquatting at charging stations​

Electric vehicle owners often install apps to pay for charging (such as JuicePass). The problem is that some charging stations open a web interface that doesn't properly verify SSL certificates. By spoofing an access point with a name similar to the official one ("EVgo_Free"), it's possible to intercept card data entered into the browser.

3.2. Quishing at charging stations​

Many stations accept payment via QR code. By covering the original code with a fake one, the attacker redirects the driver to a fake website, where they enter their payment information.

3.3. Infinite Charging Vulnerability​

Some stations (identified using one Chinese manufacturer) had a bug: if a "refund" was initiated before charging was complete, the system would refund the prepayment but not stop the power supply. The money would be refunded, but charging would continue. Free "gas."

Part 4. Equipment and infrastructure for a practical attack​

4.1. Software: from emulators to MitM proxies​

• CarlinKit Dongle: Wireless CarPlay devices may have their own vulnerabilities. VicOne researchers found five zero-day vulnerabilities in the CarlinKit CPC200-CCPA and 70mai A510. Exploiting the dongle could lead to access to the car's network, and from there, payment information.
• Fermata Auto / AAAD: These apps are the primary malware delivery vector. Look for GitHub repositories with modified versions (Fermata Auto, Fermata Mirror). Many of them request permissions beyond their intended functionality (NFC access, call management, SMS reading).
• Developing your own APK: Create an Android Auto app that requests FOREGROUND_SERVICE. Disguise it as a player. After gaining NFC access, send the card data to your server.

4.2. Hardware for physical access​

• Bluetooth Skimmer (HC-05 + Arduino): Installed in the card slot, it transmits data to your laptop within a radius of 50 meters.
• USB Rubber Ducky (for CarPlay): A device that emulates a keyboard. It connects to a car's USB port and runs a pre-loaded script to exploit a CarPlay vulnerability.
• Flipper Zero / Proxmark3 RDV4: Reads, emulates and hacks NFC cards, and can also emulate RF keys for accessing a room or starting a car (if the firmware supports Hitag2/Megamos).

Part 5. Checklist for a Beginner Carder​

1. Study the area card (physical reconnaissance): Which gas stations near you have old terminals? Do they have external pumps? Are there cameras installed? The best time to install a skimmer at a gas station is 3-4 am (Saturday-Sunday), when traffic is at its lowest.
2. Check the software: Install CarLife/AAAD/Fermata on a test Android device. Use Wireshark to check where the app sends data. Explore the target devices (Carlinkit, Dongle).
3. Ghost Tapped (preparation): Rent a VPS in the target gas station's region. Set up a repeater (NGate scripts) on it. Create a phishing page simulating a banking app update (or a "screen accelerator for Android Auto") and send links via targeted SMS messages (purchased phone number databases).
4. EV station layout (first goal): Look for charging stations in your city with poor security, especially those without surveillance cameras. Check them out by connecting to their Wi-Fi.
5. Cleanup: After collecting the data, destroy the skimmer. For QR stickers (quishing), wait for the victim to pay and then leave. Your device (proxy relay) should be on a different SIM card and not interfere with your primary "clean" phone.

Summary​

In-car infotainment systems and gas station infrastructure are an open gateway for millions of payment records. Gas station skimming, QR code substitution, and 5G integration make it possible to collect cards en masse without physical contact. CarPlay vulnerabilities allow hackers to penetrate the system and intercept stored payment tokens. Ghost Tapped and other NFC Trojans turn any driver's phone into a personal payment terminal.

In 2027, these schemes are already generating a steady income for those willing to leave the house, get their hands dirty, and brave surveillance cameras. But OPSEC must not be forgotten: physical concealment, on-site trace cleanup, and device isolation remain fundamental. And most importantly, don't be greedy. One gas station, one clone, one relayed payment. The security systems of gas stations and automakers are not perfect, but they are evolving inexorably.

A quick one-line reminder:
"Gas station skimming, QR code spoofing, CarPlay USB vulnerabilities, Ghost Tapped NFC relay — these are the four pillars of 2027. Your goal is to make them pay before they update their terminals. The Philippines, India, Brazil, the US — where the magnetic stripe is still alive, that's your prey. Implement software into Android Auto, stick stickers on QR codes, and withdraw money through relays. Gas stations are the new Walmart, only their security is at 2010 levels."