Cyber Crime
Scam Alert! Over 450 Indian Travelers Robbed of Lakhs by Fake Airport App-Could You Be Next?
BANGALORE — Imagine the convenience of accessing a serene airport lounge, a sanctuary away from the hustle and bustle of the terminal. But what if this simple desire becomes a gateway to a cybersecurity nightmare?
CloudSEK’s Threat Research Team has brought to light a sophisticated scam preying on unsuspecting air travelers across India. Over 450 passengers have fallen victim, losing more than Rs 9 lakhs (approximately $11,000) due to a fake app posing as “Lounge Pass.”
The fraud centers around air travelers seeking lounge access—a common desire for those looking to relax before flights—and uses a fake Android app to gain access to victims’ financial data.
The discovery has revealed only the tip of the iceberg, as similar scams are popping up, posing a growing threat to travelers.
Traveler’s Nightmare Unfolds: How the Scam Came to Light
The scam was first exposed through a viral post on X (formerly Twitter), where a passenger recounted how they lost over Rs 87,000 at Bangalore Airport using the fake “Lounge Pass” app.
ALSO READ: Woman Duped of Rs 87,000 in Lounge Scam at Bengaluru Airport: Here’s How the Fraud Unfolded
Alarmed by the incident, CloudSEK’s Threat Research Team launched a thorough investigation, uncovering the scale of the scam. What seemed like an isolated incident quickly evolved into a full-fledged, organized operation impacting hundreds of passengers nationwide.
Scam Highlights: A Snapshot of What Went Wrong
- 450 Victims: Between July and August 2024, around 450 air travelers unknowingly installed the fake “Lounge Pass” app on their Android devices.
- INR 9 Lakhs Lost: The scammers used intercepted SMS messages to steal over INR 9 lakhs in a matter of weeks.
- Widespread Impact: The fake app was mainly circulated through WhatsApp messages, leading users to malicious websites, including loungepass[.]in, loungepass[.]info, and loungepass[.]online.
A Deeper Dive: How the Scam Worked
This scam was particularly cunning because it exploited a traveler’s desire for convenience. Unlike traditional financial scams that pose as banking apps, the attackers targeted a service that’s commonly used by air travelers—airport lounge access.
Here’s a detailed look at how the scammers tricked victims:
Step-by-Step Modus Operandi
- Distribution Through WhatsApp: Scammers distributed links to download the fake “Lounge Pass” app via WhatsApp messages, directing users to malicious domains.
- Installation of Fake App: Unsuspecting users downloaded the app, unknowingly granting it dangerous permissions, including access to read their SMS messages.
- Stealing Sensitive Information: The app silently intercepted incoming SMS, capturing crucial information like One-Time Passwords (OTPs) and financial alerts.
- Transmitting Stolen Data: The intercepted SMS data was automatically forwarded to the scammers’ Firebase server.
- Financial Theft: Using the stolen OTPs and other sensitive data, the scammers gained unauthorized access to the victims’ accounts, draining funds swiftly.
Uncovering the Technical Details: CloudSEK’s Investigation
CloudSEK’s team delved deep into the app’s code and unearthed a complex scheme. By reverse-engineering the fake “Lounge Pass” app, researchers found that it requested excessive permissions, allowing it full access to SMS messages.
The breakthrough came when they discovered a major flaw in the scammers’ operation: an exposed Firebase endpoint. This vulnerability enabled CloudSEK to trace the intercepted data, analyze the scale of the scam, and track the stolen funds.
Anshuman Das, a CloudSEK researcher, expressed concern, stating:
“The fact that 450 travelers have already fallen victim and over Rs 9 lakhs have been stolen is deeply concerning. This is just one fraudulent app that we have found; the possibility of thousands of similar fake apps being in operation cannot be denied. It is critical that travelers remain cautious and only install apps from official sources.”
Why This Scam is a New Kind of Threat
Unlike typical banking scams, this fraud is distinct in its focus. The attackers targeted a specific, niche behavior—airport lounge access—which makes the scam even more dangerous.
Many travelers, especially those rushing to catch flights, tend to rely on apps for quick access to lounges, often bypassing due diligence. The scammers exploited this vulnerability, creating an app that appeared legitimate but was, in reality, a front for financial theft.
Safety First: CloudSEK’s Tips for Secure Travel
To ensure the safety of air travelers, CloudSEK has released a set of guidelines:
Travel Safety Recommendations
- Download Apps from Trusted Sources: Only download lounge or travel apps from the Google Play Store or Apple App Store. Check the developer’s credentials, ratings, and user reviews before installing.
- Avoid Scanning Random QR Codes: Avoid scanning QR codes found at airports, lounges, or on WhatsApp. If in doubt, ask official airport staff or use authorized sources.
- Restrict SMS Permissions: Never grant SMS access to travel or lounge apps. Genuine apps should not require permission to read your SMS messages.
- Use Official Booking Channels: Book lounge access through official sources like banks, credit card offers, or the airport’s website. Booking directly at the lounge counter is also a safe choice.
- Monitor Financial Activity: Activate banking alerts, review account statements regularly, and report any unusual transactions immediately. Check the permissions of apps installed on your device and remove those that seem suspicious.
CloudSEK strongly advises travelers to be cautious and avoid downloading apps shared through unsolicited messages or unfamiliar channels. The fraudulent domains have been reported, but the threat of similar scams remains high.