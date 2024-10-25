A ‘lounge pass’ scam targeting air travellers across India has reportedly cheated over 450 passengers and stolen over Rs 9 lakh. According to cybersecurity company CloudSEK—which uncovered the scam—a fraudulent Android app disguised as lounge pass targeted travellers looking for airport lounge access.

Scammers shared a fake lounge pass app link via WhatsApp, directing victims to malicious domains. These domains included loungepass[.]in, loungepass[.]info, and loungepass[.]online, which were all linked to the scam. The fraudulent app discovered permissions within the app’s code that gave it full access to the victim's SMS messages.

The app then secretly captured incoming SMS messages from the victim’s phone, including sensitive information like OTPs. Intercepted SMS data was sent to the scammers’ Firebase server, which allowed the scammers to gain unauthorised access to the victims' accounts and steal money.

The scam came to light after a post on social media, along with a follow-up, detailed how a traveller at Bangalore Airport fell victim to the fraudulent app and lost over Rs 87,000.

According to CloudSEK investigations, between July and August 2024, approximately 450 unsuspecting travellers installed the fake app on their Android devices. The scammers intercepted SMS messages from victims' phones, enabling them to steal over Rs 9 lakh during this brief period.

Anshuman Das, a CloudSEK researcher, said, "The fact that 450 travellers have already fallen victim and over INR 9 lakh have been stolen is deeply concerning. This is just one fraudulent app that we have found; the possibility of thousands of similar fake apps being in operation cannot be denied."