Generally speaking, a skimmer is a small device used to steal credit/debit card information. Thieves will place them on top of card insertion slots on unwatched payment terminals (example), like those on gas station pumps and outdoor ATMs. When you insert your card, the card passes through the skimmer, which captures the magnetic strip data. Later, the thief will return and collect the recorded data, sometimes allowing them to make purchases using the stolen card information.

There are a few different types of skimmers, ranging from devices placed on top of payment terminals to chips placed inside the terminals that intercept all incoming data. The latter are much harder to detect, and usually use Bluetooth to offload stored data (so the thief doesn't have to re-open the machine later). SparkFun, a site dedicated to educating people about technology, has developed an app that can detect some of these advanced skimmers.

I highly recommend reading SparkFun's blog post about the process (at the first source link below), but essentially, the app searches for nearby Bluetooth devices with an ID of 'HC-05.' That's the device name of a popular skimmer chip, which SparkFun obtained for analysis and testing. Once the app finds a matching device, it tries to connect with the default password of 1234. Finally, the app sends the letter 'P' to the device, and if the device responds with 'M', there's probably a card skimmer nearby.

This detection is possible because the people making these skimmer chips never change the Bluetooth radio's default settings. SparkFun obtained three devices for testing, and they all contained the same device ID and password. The letter 'P' is one of several commands that SparkFun identified, which always returns 'M' with the tested skimmers (I assume it's a debugging command).

You can download the app from the Play Store below, and the code is open-source too. And in case you were wondering, you can't use the app to retrieve card information from skimmers. You can find SparkFun's fascinating blog post about the entire process at the first source link below.