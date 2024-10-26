New Delhi: CloudSEK’s Threat Research Team has revealed a sophisticated scam campaign targeting air travellers at Indian airports. The scam uses a fraudulent Android app named "Lounge Pass," distributed through deceptive websites like loungepass.in, which tricks travellers into downloading malware disguised as a legitimate lounge access app.
Once installed, the malicious app secretly intercepts and forwards incoming SMS messages to cybercriminal-controlled servers, leading to significant financial losses for unsuspecting users. In an exclusive chat with ETV Bharat, Anshuman Das, a Threat Researcher at CloudSEK, explained how the attackers achieved this.
“The app requests SMS permissions under the guise of legitimate functionality. Once granted, it forwards all incoming SMS messages to the attackers’ storage, where they can access sensitive data. We identified this by reverse-engineering the app and discovering the misconfigured Firebase endpoint, hardcoded into the malware,” Das said.
The research team recommends several protective measures. Users are advised to download apps only from official stores and avoid scanning random QR codes that could redirect them to malicious websites.
When downloading any travel-related or lounge access apps, it is essential not to grant SMS permissions. Instead, travellers should book lounge access only through official or trusted channels.
Das also highlighted common tactics used in scams, such as malicious QR codes, and stressed the importance of regularly checking bank statements for unrecognised transactions. Users should immediately remove any suspicious apps and consult with their bank if unauthorised activity is detected.
To further educate the public, CloudSEK suggests social media awareness campaigns to inform travellers about emerging cyber threats. This incident underscores the importance of caution when downloading third-party apps, especially for travel services, and highlights the urgent need for vigilance in the digital age.
The investigation, conducted between July and August 2024, revealed that over 450 travellers had downloaded the fraudulent app, leading to reported losses exceeding INR 9 lakhs (around $11,000). Through domain analysis and passive DNS data, researchers uncovered a network of related domains spreading similar malicious APKs.
The scammers exploited a Firebase endpoint that allowed them to collect stolen SMS messages from infected devices, leveraging this exposed cloud-based storage to intercept one-time passwords (OTPs) and banking-related information.
