Lounge pass app scam targeting Indian travelers uncovered, swindles Rs 9 lakh in a month

A new online scam involving a fake "Lounge Pass" app has been uncovered, reportedly targeting Indian travelers and resulting in substantial financial losses.

Cybersecurity experts from CloudSEK have confirmed that the scam was orchestrated through a malicious app distributed across multiple URLs, costing victims over Rs 9 lakh in the span of a single month.

A victim shared their story on social media, recounting an incident at Bengaluru’s Kempegowda International Airport on September 29. Having left her physical credit card at home, she presented a digital image of it to gain lounge access. She reported that lounge attendants then asked her to download the "Lounge Pass" app via a URL shared on WhatsApp. Following their instructions, she completed a face scan for "security purposes" and shared her screen with the alleged scammers.

After several weeks, she noticed strange occurrences - like an unknown "male voice" answering her calls. Her credit card bill later revealed an unauthorized transaction of Rs 87,125 to a PhonePe account. She discovered that call-forwarding was enabled on her phone, which she believes was done through the malicious app. This incident has since been reported to the cybercrime cell.

The cybersecurity team at CloudSEK confirmed the existence of the scam through an open-source investigation. Their analysis found that the app utilized a sophisticated SMS-stealer function, which, once installed, could control a device’s calls and SMS services. This allowed scammers to transfer money and intercept one-time passwords (OTPs) sent via text or call. Their reverse-engineering of the app’s APK revealed an exposed Firebase endpoint used by scammers to store intercepted SMS data.

During July and August 2024 alone, 450 people installed the app, leading to a loss exceeding Rs 9 lakh.

CloudSEK researchers warn that the actual scale of the scam may be larger, as their analysis only covered one endpoint.

CloudSEK advises travelers to avoid downloading lounge access apps from unknown sources and to trust only verified app stores, like Google Play or the App Store.

Users should scrutinize app permissions and avoid granting SMS or calling permissions unless absolutely necessary. Additionally, travelers should be wary of scanning random QR codes at airports. Two-factor authentication (2FA) on banking and UPI apps provides an added layer of security against unauthorized transactions.

By staying vigilant and following these guidelines, travelers can help protect themselves from falling victim to similar scams.