A new online scam involving the Lounge Pass app has recently been exposed, drawing attention after a victim recounted their troubling experience on social media. This revelation has prompted cybersecurity experts to confirm the scam’s existence and detail the methods employed by the perpetrators to defraud individuals of significant sums of money.
The Victim’s Account
A user shared a viral video on X (previously known as Twitter) featuring a woman who claimed to have fallen victim to the scam. With over 5,000 likes and more than 2,100 retweets, her story has resonated widely. She explained that the incident transpired at the Kempegowda International Airport in Bengaluru on September 29. After forgetting her credit card at home, she carried only a photograph of it. Eager to access the lounge area, she showed the image to the lounge staff, who then directed her to download the Lounge Pass app.
The victim shared a screenshot of a WhatsApp conversation in which the alleged scammers provided a link to download the app. They also requested her to perform a screen sharing and undergo a face scan for “security purposes.” Once she complied, she was granted access to the lounge. However, in the following weeks, acquaintances informed her they were unable to reach her by phone, occasionally hearing a male voice respond instead.
The realization of the scam dawned on her when she received her credit card statement and discovered an unauthorized transaction of Rs. 87,125 to a PhonePe account. Though she is uncertain, the victim believes that the compromised app may be the culprit behind her financial loss.
In addition, she revealed that her phone settings had been altered unbeknownst to her, including the activation of call forwarding. The incident has been reported to the local cybercrime unit, although Gadgets 360 could not independently verify her claims.
Investigation by Cybersecurity Experts
The cybersecurity firm CloudSEK’s Threat Research Team conducted an open-source intelligence investigation that confirmed the scam’s presence. Their findings included multiple domains disseminating the Lounge Pass app.
The analysis suggested that a sophisticated SMS-stealer app was responsible for hijacking the victim’s device. Once installed, the app could extract sensitive information, taking control of SMS and call functionalities. This control allowed scammers to divert funds to designated bank accounts and intercept one-time passwords sent via text or call.
Upon reverse-engineering the app’s APK, researchers discovered an exposed Firebase endpoint used to store intercepted SMS messages from victims. Between July and August 2024 alone, around 450 individuals reportedly installed the app, resulting in scammers illicitly acquiring over Rs. 9 lakhs from their victims during that time. However, researchers noted that this data might not represent the full extent of the scam, as only one endpoint was analyzed.
Guidelines for Personal Protection
Given that the Lounge Pass app is not available on official app stores, measures to eliminate the app are limited. To safeguard against such scams, researchers have proposed several recommendations.
Individuals are urged to refrain from downloading lounge access apps from unverified sources and to rely solely on official app marketplaces. Before installation, it is crucial to verify the publisher’s identity.
Additionally, travelers are advised to avoid scanning unfamiliar QR codes at airports. They should also exercise caution regarding the permissions requested by downloaded applications, ensuring that no app has access to SMS or calling features unless absolutely necessary. Finally, it is recommended that banking or UPI apps on their devices incorporate two-factor authentication (2FA) for enhanced security.
