A new cyber scam targeting air travellers at Indian airports has been exposed, involving a fraudulent Android application called “Lounge Pass,” according to cybersecurity firm CloudSEK. Bhaswati Guha Majumder of CXO News and APAC News Network reports.
The investigation has revealed that the app, distributed through fake websites like “loungepass.in,” operates as a sophisticated SMS stealer, intercepting and forwarding text messages from victims’ devices to cybercriminals, leading to substantial financial losses. Between July and August 2024, around 450 travellers unknowingly installed the malicious app, with reported losses exceeding Rs 9 lakh.
The team of researchers said: “Even though there are no specific airports targeted, the app is designed in such a way that the scam can operate at all the Indian airports.” However, in terms of informing the government about such scams, the team said: “All CloudSEK report is shared with the Indian Computer Emergency Response Team (CERT-In) and we are in the process of informing relevant government agencies.”
Modus Operandi
This scam diverges from typical SMS-stealing schemes by specifically targeting air travellers. The malicious app captures and relays all incoming SMS messages, giving attackers access to sensitive information, such as OTPs for financial transactions. The researchers found the stolen messages stored on an exposed Firebase endpoint, which the scammers exploited to gather intercepted data, amplifying the scope of the fraud.
CloudSEK’s team further traced the attack to additional domains sharing the same hosting server (154.41.240.248), likely forming a coordinated network to deceive travellers. Passive DNS data and social media analysis corroborated the app’s distribution through links shared via messaging platforms like WhatsApp, where victims received URLs labelled “AIRPORT LOUNGE ACCESS CHECK.”
Upon reverse engineering the Android application, investigators uncovered hard-coded secrets and Firebase URLs embedded in the app, which enabled SMS interception. The app’s permissions were unusually invasive for a lounge access tool, indicating its true intent. The scam’s primary distribution period, identified through OSINT analysis, revealed that over 450 travellers suffered financial losses linked to intercepted OTPs and other sensitive data.
Safety Recommendations
CloudSEK has issued a series of recommendations to help travellers protect themselves. These are the following:
- Download Apps Only from Official Stores: Stick to verified sources like Google Play Store or Apple App Store, checking the app publisher and reviews for authenticity.
- Beware of Random QR Codes: Avoid scanning QR codes at airports or using direct APK links, as these could lead to scams. Always confirm the legitimacy of QR codes with airport or lounge staff.
- Limit App Permissions: Never grant SMS permissions to lounge or travel apps; legitimate services do not require access to messages.
- Book Through Official Channels: Use recognized sources such as banks, official airport websites, or trusted partners for lounge access.
- Monitor Account Activity: Enable transaction alerts and regularly check accounts to detect suspicious activity. Report any issues to your bank promptly.
Travellers are advised to remove any questionable lounge-related apps and review permissions for added security. With increasing scams targeting travellers, vigilance remains essential for safeguarding personal and financial data.
Discussion about this post