Uncovering the Lounge Pass Scam Campaign: Targeted Android SMS Stealer Preying on Air Travellers

Executive Summary

CloudSEK's Threat Research Team has uncovered a sophisticated scam targeting air travelers through a fraudulent Android application called 'Lounge Pass'. The investigation began after a viral social media post on X (formerly Twitter) detailed how a woman fell victim to the scam at Bangalore Airport.

Unlike typical SMS stealers that often masquerade as banking or loan applications, this campaign specifically targets airport travelers. The malicious app, once installed, secretly captures and forwards all incoming SMS messages from the victim's device to the scammers.

Through extensive OSINT (Open Source Intelligence) investigation, the research team identified multiple domains associated with the scam across different TLDs. Upon analyzing the reverse-engineered APK, researchers discovered a critical oversight: the scammers had accidentally exposed their Firebase endpoint, which was being used to store all intercepted SMS messages from victims. 

‍

Analysis of the exposed data revealed the devastating scope of this scam: 

• Between July and August 2024, around 450 unsuspecting travelers had installed the malicious application. 
• The intercepted SMS messages painted a grim picture, showing that the scammers had successfully stolen over INR 9 lakhs (approximately $11,000) from their victims during this brief period. 
• This figure likely represents just a portion of the total damages, as it includes only the documented cases linked to the exposed endpoint found in the SMS stealer code during the analyzed time frame.

‍

‍

Analysis and Attribution

Information from the X Post

Based on the video, we observed that the URL (loungepass.in) for downloading the APK was shared via WhatsApp. Additionally, WhatsApp screenshots revealed the title AIRPORT LOUNGE ACCESS CHECK. Through passive DNS data and hosting similarities, we identified three related domains, which we believe were part of the same campaign, hosting on a the same web server IP address: 154.41.240.248

‍

‍

‍

Information from OSINT

Further investigation using crowd-sourced URL scanner platforms revealed the same URLs had been previously scanned. Interestingly, it appears that someone also scanned the Android application mentioned by the victims in the Twitter video.  This validates our hypothesis regarding the distribution of the APK through these domains and the connections between the other discovered domains.

‍

‍

Information from the Reversed SMS Stealer

After reverse engineering the Android SMS stealer LOUNGEPASS.apk (981a5a2c7cb2184ac9715f6ebab0d60e0796f628230f23950809a34f5639b9f4), the permissions in the Manifest file revealed the true intent of the APK. Further analysis uncovered hard-coded secrets and the Firebase Messaging Service URL endpoint, exposing victims' devices and facilitating money theft by exploiting SMS messages exfiltration from the victims' numbers.

‍

‍

Recommendations

• First and foremost, only download lounge access apps from trusted sources like the Google Play Store or Apple App Store: Always verify that the app publisher's name matches the official company, and take the time to review user feedback and check download numbers before installing any app.
• Be cautious when encountering QR codes at airports: Avoid scanning random QR codes, as they could lead to malicious downloads or scams. Never download apps via direct APK links that bypass official app stores, and if you're unsure, always ask airport or lounge staff to confirm the legitimacy of any codes.
• Protect your SMS access by never granting SMS permissions to lounge or travel apps: Be suspicious of any app requesting access to your messages, as legitimate lounge apps don’t need SMS access. This is a crucial step in preventing unauthorized access to your personal information.
• When booking lounge access, use only official channels such as your bank or credit card benefits: Book through official airport websites or trusted partners. If you have any doubts, booking directly at the lounge counter is always a safe option.‍
• Lastly, it’s important to monitor your accounts regularly while traveling: Enable banking alerts for any transactions and check your accounts frequently to ensure there’s no suspicious activity. If you notice anything unusual, report it to your bank immediately.
• If you have recently installed any lounge-related apps, review their permissions and remove any that seem suspicious to protect your data. Stay vigilant and prioritize your safety while traveling.

‍

Indicators

‍

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia
• https://x.com/Jasonphilip8/status/1848611163518730571 
• https://www.ndtv.com/feature/woman-falls-victim-to-lounge-scam-at-bengaluru-airport-loses-over-rs-87-000-6848162 
• https://www.instagram.com/kolampodu 

‍

Appendix

‍