Fake Lounge App Scam Robs Hundreds of Indian Travelers

October 28, 2024 | Cybersecurity
By Ashwani Mishra, Editor-Technology, 63SATS

In a world where convenience is king, airport lounges offer a quiet respite for weary travelers—a retreat from the terminal’s chaos. But a recent cyber scam has turned this simple luxury into a costly trap for hundreds of travelers across India.

CloudSEK’s Threat Research Team uncovered a sophisticated scheme involving a fake Android app, “Lounge Pass,” that has duped over 450 passengers into collectively losing more than ₹9 lakhs (about $11,000).

This scam’s ingenious twist lies in its targeting of a travel-related service, a tactic that diverges from traditional banking scams. By mimicking an app used for lounge access, cybercriminals exploited a niche behavior, preying on unsuspecting travelers looking for comfort and calm before their flights.

A Simple Download, A Costly Mistake

The scam was first brought to public attention when a traveler shared their experience on X (formerly Twitter), recounting how they lost over â‚ą87,000 using the fake app at Bangalore Airport.

CloudSEK’s team initiated an investigation, uncovering a far-reaching operation that had successfully ensnared hundreds of travelers nationwide.

The fake app, circulated mainly through WhatsApp, directed users to domains like loungepass[.]in and loungepass[.]online. These seemingly legitimate websites led travelers to download the fraudulent app, granting it dangerous permissions that allowed scammers to intercept SMS messages, including one-time passwords (OTPs) and banking alerts. Armed with this information, the hackers gained unauthorized access to victims’ accounts, quickly draining funds.

A Growing Threat Beyond India?

This scam highlights a concerning trend: the rise of hyper-targeted cyber attacks that exploit specific consumer behaviors.

While this particular fraud appears concentrated in India, the method itself could easily be replicated in airports and transport hubs worldwide. The combination of fake apps, social media distribution, and sophisticated phishing tactics is not limited by geography and could become a global issue as travel-related cyber threats grow in popularity.

Inside the Scam: How Travelers Got Duped

The lounge access scam was crafted with precision to exploit travelers’ need for quick, seamless services. Here’s a streamlined look at the scam’s execution:

WhatsApp Trap: Links for the fake “Lounge Pass” app circulated widely on WhatsApp, exploiting users’ trust in shared messages.

Risky Download: Victims unknowingly installed the app, granting it sensitive permissions like SMS access, unaware of the hidden risks.

Data Interception: The app intercepted incoming SMS messages, silently collecting OTPs and banking alerts without users’ knowledge.

Firebase Transmission: Intercepted data flowed straight to the scammers’ Firebase server, storing sensitive information for easy access.

Bank Account Drain: Armed with OTPs, the scammers accessed victims’ bank accounts, swiftly siphoning funds before the fraud was even noticed.

Investigation and the Exposed Firebase Flaw

CloudSEK’s team dove into the app’s code, uncovering layers of deceit in its design. The app’s permissions extended far beyond what was needed for lounge access, allowing it to read SMS messages and execute unauthorized transactions. During the investigation, the team identified a significant vulnerability in the scammers’ operation—an exposed Firebase endpoint. This flaw provided the research team with insights into the scale of the scam, enabling them to trace intercepted data and track down stolen funds.

The Rise of Targeted Scams: A New Kind of Cyber Threat

This scam reflects a shift in cybercriminal tactics. Unlike traditional banking scams that cast a wide net, these targeted attacks are focused on specific niches, capitalizing on the rising use of digital services for convenience. As more travelers rely on quick access to

services like lounge passes, meal vouchers, and upgrades, scammers have begun exploiting these specific digital behaviors.

The use of QR codes, quick payment links, and mobile apps creates entry points that hackers can manipulate, making it easier to disguise fraudulent apps or sites. In airports, where travelers are often hurried and stressed, scammers know that users are likely to click or download apps without the usual scrutiny, prioritizing speed over security.

Lessons for the Global Traveler: How to Protect Yourself

As scams like these proliferate, travelers need to take proactive steps to safeguard themselves. Here are CloudSEK’s top recommendations for safe travel:

Download Only from Official Sources: Always install apps from trusted sources, such as the Google Play Store or Apple App Store, and verify developer details, reviews, and ratings before downloading.

Avoid Scanning Random QR Codes: Be cautious of QR codes in public places like airports. Only use official sources or check with staff if you’re unsure.

Limit SMS Permissions: Be wary of apps that request SMS access. Airport lounge apps or travel apps typically don’t require such permissions.

Use Verified Channels for Lounge Bookings: Book lounge access through official websites, credit card offers, or directly at the airport. Avoid using unverified third-party apps.

Monitor Your Accounts: Enable bank alerts, regularly check account statements, and report any suspicious transactions immediately. Reviewing app permissions regularly can also help spot red flags.

The Broader Cybersecurity Implications

This scam raises pressing questions about app security and permissions in the travel industry. As more sectors digitize their services, mobile apps increasingly require access to sensitive data to function optimally. However, there is a need for stricter regulation and transparency regarding the permissions apps request, especially for non-banking services like airport lounges.

The “Lounge Pass” scam underscores the importance of cybersecurity hygiene for travelers and highlights the need for vigilance as cybercriminals find new ways to exploit digital convenience. For airport authorities, app developers, and security agencies, it’s a

call to action to create safer digital infrastructures that protect travelers’ financial information from malicious actors.

As travelers embrace digital solutions, scams like this one could become a template for cybercrime in other markets, proving that convenience and security must go hand-in-hand to create a safe travel experience in today’s digital landscape.