New Online Scam Targets Indian Travelers with Fake "Lounge Pass" App
In a concerning development for travelers in India, a new online scam involving a fraudulent "Lounge Pass" app has been uncovered, leading to significant financial losses for unsuspecting victims. Cybersecurity experts from CloudSEK have confirmed that this malicious scheme has already cost victims over Rs 9 lakh in just one month, with the potential for even greater losses as investigations continue.
The Mechanics of the Scam
The scam operates through a malicious app that has been distributed across various URLs, often shared via social media platforms like WhatsApp. The app is designed to deceive users into believing they are downloading a legitimate service that grants access to airport lounges. However, once installed, the app employs sophisticated tactics to steal sensitive information and manipulate the victim’s phone.
A victim’s harrowing experience at Bengaluru’s Kempegowda International Airport on September 29 illustrates the scam’s modus operandi. After forgetting her physical credit card at home, she attempted to gain lounge access using a digital image of her card. Lounge attendants then directed her to download the "Lounge Pass" app via a URL they provided on WhatsApp. Following their instructions, she completed a face scan for "security purposes" and unwittingly shared her screen with the scammers.
The Aftermath: Financial Loss and Disturbing Discoveries
Weeks later, the victim began to notice unsettling changes. An unknown male voice started answering her calls, raising her suspicions. A review of her credit card bill revealed an unauthorized transaction of Rs 87,125 to a PhonePe account. Alarmingly, she discovered that call forwarding had been enabled on her phone, a likely consequence of the malicious app. This incident has since been reported to the cybercrime cell, highlighting the urgent need for awareness and action against such scams.
Cybersecurity Analysis: How the Scam Works
CloudSEK’s cybersecurity team conducted an open-source investigation into the scam and confirmed its existence. Their analysis revealed that the app contained a sophisticated SMS-stealer function. Once installed, the app could gain control over the device’s calls and SMS services, allowing scammers to transfer money and intercept one-time passwords (OTPs) sent via text or call.
Further reverse-engineering of the app’s APK file uncovered an exposed Firebase endpoint used by the scammers to store intercepted SMS data. This level of sophistication indicates a well-organized operation, making it imperative for users to remain vigilant.
The Scale of the Scam
During the months of July and August 2024 alone, approximately 450 individuals installed the malicious app, leading to a cumulative loss exceeding Rs 9 lakh. However, CloudSEK researchers caution that the actual scale of the scam may be much larger, as their analysis only covered one endpoint. This suggests that many more victims may be out there, unaware of the risks they face.
Precautionary Measures for Travelers
In light of this alarming scam, CloudSEK has issued several recommendations for travelers to protect themselves:
-
Avoid Unknown Sources: Travelers should refrain from downloading lounge access apps from unverified sources. It is crucial to trust only recognized app stores, such as Google Play or the App Store.
-
Scrutinize App Permissions: Users should carefully review app permissions and avoid granting access to SMS or calling features unless absolutely necessary.
-
Be Wary of QR Codes: Travelers should exercise caution when scanning random QR codes at airports, as these may lead to malicious sites or apps.
-
Enable Two-Factor Authentication (2FA): Implementing 2FA on banking and UPI apps adds an extra layer of security against unauthorized transactions.
- Stay Informed and Vigilant: By staying updated on the latest scams and following these guidelines, travelers can significantly reduce their risk of falling victim to similar schemes.
Conclusion
The emergence of the fake "Lounge Pass" app scam serves as a stark reminder of the vulnerabilities that travelers face in an increasingly digital world. By exercising caution and adhering to best practices for online security, individuals can better protect themselves from the dangers posed by cybercriminals. Awareness and vigilance are key in ensuring a safe and enjoyable travel experience.