Google Play Carding Works on games and everything else

November 17, 2018
Google Play Carding Works on games and everything else

The Dark web is full of content that range from illegal weapons up to anything legal you may find. In today’s article, we will expose what and how vulnerable Google Playstore is with some items we can find on the dark web. Those are stolen financial credentials that were skimmed, sniffed, and scanned from POS, ATMs, and online shops that are vulnerable using different scripts. An example of a Google Play Carding script is the Magecart script, thus, stolen credentials, especially credit cards, go to the Dark Web such as the Joker Stash, Rescator, CVV-ME, and much more.


As a proof that these things happen and it works on some well-known appstore such as Google Playstore, we will be presenting a case study from some respondents on a case where card details sold in the dark web worked on the Playstore for an application in which we will not specify to protect the identity of the app.

  1. The scenario starts with the respondents working on to go to the dark net store (in this case the Joker Stash). Next was to purchase any CVV card on the store that has to be VALID in order to work. This case will prove that there are valid cards that will work.
  2. Using the Android platform: The respondents entered their account In Playstore and then managed to enter the stolen card details using the add a payment method via


Carding Works on Playstore
Surprisingly the details entered were accepted without any additional security measures such as Verify by Visa, nor Secured by Mastercard. Surprising, because most ecommerce site has a 2FA feature or a verification code through Paypal before a credit/debit card can be added .
  1. Now the next step was to launch the app and access the premium features of the application where real time money has to be purchased in order to test the card.
  2. It got through, an estimate of 100 USD went through, in which the respondents got shocked themselves. They never would have imagined that carding Playstore is possible, and currently it is.
  3. The respondents then contacted Playstore as per instructions out of precaution to get the transaction refunded. In which Google obliged within 24 to 48 hours.
  4. The refund was a success, please refer to the screenshot(we have information redacted to protect the brands involved)

Games and Everything Else

The Conclusion:

While these activities are inevitable, financial institutions out there should be aware that these leaked/stolen card information are not to be taken lightly and, should device a strategy in order to protect customer data or possibly recover data.

Ecommerce sites/platform should add an extra layer of security in order to avoid black marketed information pass through easily on their platform.

About the author

Leave a Reply