A ‘lounge pass’ scam targeting air travellers across India has reportedly cheated over 450 passengers and stolen over Rs 9 lakh. According to cybersecurity company CloudSEK—which uncovered the scam—a fraudulent Android app disguised as lounge pass targeted travellers looking for airport lounge access.
Scammers shared a fake lounge pass app link via WhatsApp, directing victims to malicious domains. These domains included loungepass[.]in, loungepass[.]info, and loungepass[.]online, which were all linked to the scam. The fraudulent app discovered permissions within the app’s code that gave it full access to the victim's SMS messages.
The app then secretly captured incoming SMS messages from the victim’s phone, including sensitive information like OTPs. Intercepted SMS data was sent to the scammers’ Firebase server, which allowed the scammers to gain unauthorised access to the victims' accounts and steal money.
The scam came to light after a post on social media, along with a follow-up, detailed how a traveller at Bangalore Airport fell victim to the fraudulent app and lost over Rs 87,000.
According to CloudSEK investigations, between July and August 2024, approximately 450 unsuspecting travellers installed the fake app on their Android devices. The scammers intercepted SMS messages from victims' phones, enabling them to steal over Rs 9 lakh during this brief period.
Anshuman Das, a CloudSEK researcher, said, "The fact that 450 travellers have already fallen victim and over INR 9 lakh have been stolen is deeply concerning. This is just one fraudulent app that we have found; the possibility of thousands of similar fake apps being in operation cannot be denied. It is critical that travelers remain cautious and only install apps from official sources."
Incidentally, the victim whose video went viral was using an Apple iPhone and Das said it was unclear on how her smartphone was hacked. This is because it is extremely difficult to sideload third-party apps to iOS, unlike Android. Das explained that CloudSEK would have to examine her device to reach any conclusions on the attack vector followed in her case. One possibility is that the victim may have been guided to a website where she entered credit card details, and then allowed the scammer access to transaction OTPs on her iPhone, allowing the criminals to transact using her credit card.
CloudSEK suggested that all air travellers should be on high alert and avoid downloading apps shared via unsolicited WhatsApp messages or other unofficial sources. They should use only Google Play Store or Apple App Store for lounge apps, and check the app publisher's name, reviews and download numbers before installing.
It also recommended that travellers don’t scan random QR codes at airports, and never grant SMS permissions to lounge or travel apps (legitimate apps don’t need SMS access). They should also use trusted sources like banks, credit card benefits, official airport websites and lounge counters for lounge bookings.
Travellers should also review permissions of any installed lounge apps and remove those that seem unsafe. Additional steps include enabling banking alerts, checking accounts regularly and reporting any suspicious activity to your bank.
RECOMMENDED FOR YOU
From ‘Hawai Chappal’ To ‘Hawai Yatra’: UDAN Scheme Transforms Indian Aviation
Oct 22, 2024
Uber Partners With Indian Air Force To Enhance Mobility Solutions For Personnel, Families
Oct 18, 2024
IGL, MGL To Pass Higher Costs On To Customers As GAIL Cuts APM Gas Allocation
Oct 17, 2024
Air Travel Demand Spikes Up To 20% In Cities Hosting Live Events: Yatra's Bharatt Malik
Oct 02, 2024
POPULAR