According to CloudSEK researchers, the malicious Lounge Pass app was being distributed via multiple URLs.
The scammers stole money by exploiting SMS messages exfiltration, researchers said
Photo Credit: Reuters
Lounge Pass app scam, a new online scam that involves the eponymous malicious app, has recently been uncovered. The incident came to surface after an alleged victim of the scam took to social media to share their experience and how they were scammed of a hefty amount. Cybersecurity researchers have now confirmed the existence of the scam which is being conducted via an app dubbed Lounge Pass, and explained how the bad actors were able to steal money from people.
In a video posted on X (formerly known as Twitter), a user posted a video of a woman who was allegedly a victim of the scam. The post has now gone viral with more than 5,000 likes and 2,100 reposts. The woman claimed that the incident occurred inside the Kempegowda International Airport in Bengaluru on September 29. She claimed to have left her credit card at home and carried a picture of it instead. Wanting to access the lounge area, she claimed to have shown the image of the credit card to the people in the lounge. However, the attendants allegedly asked her to download the Lounge Pass app.
The victim also shared a screenshot of a WhatsApp chat where the alleged scammers sent her a URL to download the app. They also allegedly told her to share her screen and to do a face screen (face scan) for “security purposes”. After that, she was allowed to use the lounge. She also claimed that for the next few weeks, people told her that they were not able to reach her over call and that sometimes a “male” voice would answer when called.
She allegedly found out about the scam after her credit card bill came in, and she noticed a transaction of Rs. 87,125 to a PhonePe account. While the victim is not sure, she claimed that the malicious app might have been the reason behind the scam.
In a screenshot, she also showed that without her knowing, her phone's settings were changed to turn on call forwarding. She has allegedly reported this incident to the cybercrime cell. Gadgets 360 was not able to verify any of the claims.
Cybersecurity firm CloudSEK's Threat Research Team was able to confirm the existence of the scam through their open source intelligence (ONST) investigation. The researchers were able to uncover multiple domains which were being used to distribute the Lounge Pass app.
Based on the investigation, the scam was carried out by a sophisticated SMS stealer app that can take control of the device once installed. The scammers likely steal sensitive information from the device using the app, and take control of SMS and calls. Once done, they transfer money to the desired bank account and intercept the OTP whether it is sent via text message or call.
The researchers were able to reverse-engineer the APK of the app and found that the scammers accidentally left their Firebase endpoint exposed. This endpoint was being used to store the intercepted SMS from victims. Based on the analysis of the data, the researchers found that between July and August 2024, approximately 450 people installed the app. Further, scammers also managed to swindle more than Rs. 9 lakhs from victims during this period.
CloudSEK researchers also highlighted that this may not be the full picture as only one endpoint was analysed by the firm.
Since the app is not available on the Play Store or the App Store, there is little that can be done to take down the app. The researchers have shared a series of recommendations that people can follow to protect themselves from such scams.
First, people are advised to not download lounge access apps from any untrusted sources. Only the official app marketplaces should be trusted for this. Further, before installing, users should verify the app publisher's name.
Travellers should also avoid scanning any random QR codes at airports. Further, whenever downloading an app, users should be careful about the permissions that they give an app. If not absolutely necessary, no app should have access to SMS or calling features. Finally, any banking or UPI apps installed on a device should contain two-factor authentication (2FA) for an added layer of security.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.