A major scam targeting air travellers in India has come to light, with over 450 passengers losing more than ₹9 lakhs (around $11,000) through a fraudulent Android app called “Lounge Pass.” The app posed as a service to provide airport lounge access but instead stole users’ money. Authorities warn that this scam may be larger in scale, as several similar fake apps are circulating and this deceptive strategy is rapidly gaining momentum.
The scam, uncovered by CloudSEK’s threat research Team, specifically preys on travelers looking for airport lounge access, making it a unique and dangerous threat in the aviation industry.
The scam came to light after a viral post on social media platform X (formerly Twitter) detailed how a traveller at the Bengaluru Airport fell victim to the fraudulent app and lost over ₹87,000.
ALSO READ- Digital arrest scam: How a fake cop convinces victims to transfer funds to ‘clear’ their name
Key highlights of the scam:
450 travelers affected: Between July and August 2024, approximately 450 unsuspecting travellers installed the fake “Lounge Pass” app on their Android devices.
Over ₹9 lakhs stolen: The scammers intercepted SMS messages from victims’ phones, enabling them to steal over ₹9 lakhs during this brief period.
Targeted distribution: The malicious app was circulated via WhatsApp messages, directing users to domains like loungepass[.]in, loungepass[.]info, and loungepass[.]online, which were all linked to the scam.
ALSO READ- No end to flight chaos as 80 more get bomb threats
How the scam works
Unlike traditional SMS-stealing malware that typically masquerades as banking apps, this campaign took advantage of travelers’ need for lounge access services at airports.
Once installed, the fake “Lounge Pass” app secretly captured incoming SMS messages from the victim’s phone, including sensitive information like OTPs, which allowed the scammers to gain unauthorized access to the victims’ accounts and steal money.
The research team uncovered a critical flaw in the operation. The scammers had inadvertently exposed their Firebase endpoint, where stolen SMS messages were stored. This allowed the investigators to analyse the scale of the scam and trace the stolen funds.
Modus-Operandi
1. Distribution via WhatsApp: Scammers share a fake “Lounge Pass” app link via WhatsApp, directing victims to malicious domains.
2. App installation: Victims install the app, granting it access to SMS permissions.
3. Intercepting SMS: The app silently captures incoming SMS, including OTPs and financial alerts.
4. Forwarding stolen data: Intercepted SMS data is sent to the scammers’ Firebase server.
5. Financial exploitation: Scammers use the stolen information to access victims’ accounts and steal money.
ALSO READ- Government asks Meta and X to share data on hoax bomb threats to airlines
Technical findings
After reverse engineering, the fraudulent app, CloudSEK’s team discovered permissions within the app’s code that gave it full access to the victim’s SMS messages. The app was designed to forward intercepted messages to the scammers, enabling them to access OTPs and steal funds from victims’ accounts.
Anshuman Das, a CloudSEK researcher, said, “The fact that 450 travelers have already fallen victim and over INR 9 lakhs have been stolen is deeply concerning. This is just one fraudulent app that we have found; the possibility of thousands of similar fake apps being in operation cannot be denied. It is critical that travelers remain cautious and only install apps from official sources.”
ALSO READ- What happens when a flight receives bomb threat? Know airlines’ security protocol
Recommendations for safe air travel
Download only from trusted sources: Use only the Google Play Store or Apple App Store for lounge apps. Check the app publisher’s name, reviews, and download numbers before installing.
Avoid random QR codes: Don’t scan random QR codes at airports. Stick to official channels, and ask airport or lounge staff if in doubt.
Protect your SMS access: Never grant SMS permissions to lounge or travel apps. Legitimate apps don’t need SMS access.
Book through official channels: Use trusted sources like banks, credit card benefits, or official airport websites for lounge bookings. Booking directly at the lounge counter is always safe.
Monitor your accounts: Enable banking alerts, check accounts regularly, and report any suspicious activity to your bank. Review permissions of any installed lounge apps and remove those that seem unsafe.