Scam
14
mins read

Uncovering the Lounge Pass Scam Campaign: Targeted Android SMS Stealer Preying on Air Travellers

CloudSEK’s Threat Research Team uncovered a sophisticated scam targeting air travelers at Indian airports. The fraud involves a malicious Android application named Lounge Pass, distributed through fake domains like loungepass.in. This app secretly intercepts and forwards SMS messages from victims’ devices to cybercriminals, resulting in significant financial losses. The investigation revealed that between July and August 2024, over 450 travelers unknowingly installed the fraudulent app, resulting in a reported theft of more than INR 9 lakhs (approx. $11,000). The scammers exploited an exposed Firebase endpoint to store stolen SMS messages. Through domain analysis and passive DNS data, researchers identified several related domains spreading similar APKs. Key recommendations include downloading apps only from official stores, avoiding scanning random QR codes, and never granting SMS access to travel or lounge apps. Travelers should book lounge access through official channels and stay vigilant to protect their personal data. Stay updated on the latest scams and protect your travel data by following these guidelines.

CloudSEK TRIAD
October 25, 2024
Green Alert
Last Update posted on
October 25, 2024
Don't let your brand be used to trap users through fake URLs and phishing pages

Identify and counter malicious links and phishing attempts effectively with CloudSEK XVigil Fake URLs and Phishing module, bolstering your defense against cyber threats

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

CloudSEK's Threat Research Team has uncovered a sophisticated scam targeting air travelers through a fraudulent Android application called 'Lounge Pass'. The investigation began after a viral social media post on X (formerly Twitter) detailed how a woman fell victim to the scam at Bangalore Airport.

Unlike typical SMS stealers that often masquerade as banking or loan applications, this campaign specifically targets airport travelers. The malicious app, once installed, secretly captures and forwards all incoming SMS messages from the victim's device to the scammers.

Through extensive OSINT (Open Source Intelligence) investigation, the research team identified multiple domains associated with the scam across different TLDs. Upon analyzing the reverse-engineered APK, researchers discovered a critical oversight: the scammers had accidentally exposed their Firebase endpoint, which was being used to store all intercepted SMS messages from victims. 

Analysis of the exposed data revealed the devastating scope of this scam: 

  • Between July and August 2024, around 450 unsuspecting travelers had installed the malicious application. 
  • The intercepted SMS messages painted a grim picture, showing that the scammers had successfully stolen over INR 9 lakhs (approximately $11,000) from their victims during this brief period. 
  • This figure likely represents just a portion of the total damages, as it includes only the documented cases linked to the exposed endpoint found in the SMS stealer code during the analyzed time frame.

Similar APKs with the name: LOUNGPASS distributed in this Campaign

Analysis and Attribution

Information from the X Post

Based on the video, we observed that the URL (loungepass.in) for downloading the APK was shared via WhatsApp. Additionally, WhatsApp screenshots revealed the title AIRPORT LOUNGE ACCESS CHECK. Through passive DNS data and hosting similarities, we identified three related domains, which we believe were part of the same campaign, hosting on a the same web server IP address: 154.41.240.248

Domain Name Registrar Created Date Nameserver
loungepass[.]info HOSTINGER operations, UAB 2024-08-12 ns1.dns-parking.com, ns2.dns-parking.com
loungepass[.]online HOSTINGER operations, UAB 2024-03-27 NS2.DNS-PARKING.COM, NS1.DNS-PARKING.COM
loungepass[.]in HOSTINGER operations, UAB 2024-08-12 ns1.dns-parking.com, ns2.dns-parking.com

The malicious domain that distributed the SMS Steale

Information from OSINT

Further investigation using crowd-sourced URL scanner platforms revealed the same URLs had been previously scanned. Interestingly, it appears that someone also scanned the Android application mentioned by the victims in the Twitter video.  This validates our hypothesis regarding the distribution of the APK through these domains and the connections between the other discovered domains.

Malicious APK distributed through these domains, as confirmed by crowdsourced scanner platforms (urlscan.io)

Information from the Reversed SMS Stealer

After reverse engineering the Android SMS stealer LOUNGEPASS.apk (981a5a2c7cb2184ac9715f6ebab0d60e0796f628230f23950809a34f5639b9f4), the permissions in the Manifest file revealed the true intent of the APK. Further analysis uncovered hard-coded secrets and the Firebase Messaging Service URL endpoint, exposing victims' devices and facilitating money theft by exploiting SMS messages exfiltration from the victims' numbers.

Permission taken by the SMS Stealer

Recommendations

  • First and foremost, only download lounge access apps from trusted sources like the Google Play Store or Apple App Store: Always verify that the app publisher's name matches the official company, and take the time to review user feedback and check download numbers before installing any app.
  • Be cautious when encountering QR codes at airports: Avoid scanning random QR codes, as they could lead to malicious downloads or scams. Never download apps via direct APK links that bypass official app stores, and if you're unsure, always ask airport or lounge staff to confirm the legitimacy of any codes.
  • Protect your SMS access by never granting SMS permissions to lounge or travel apps: Be suspicious of any app requesting access to your messages, as legitimate lounge apps don’t need SMS access. This is a crucial step in preventing unauthorized access to your personal information.
  • When booking lounge access, use only official channels such as your bank or credit card benefits: Book through official airport websites or trusted partners. If you have any doubts, booking directly at the lounge counter is always a safe option.
  • Lastly, it’s important to monitor your accounts regularly while traveling: Enable banking alerts for any transactions and check your accounts frequently to ensure there’s no suspicious activity. If you notice anything unusual, report it to your bank immediately.
  • If you have recently installed any lounge-related apps, review their permissions and remove any that seem suspicious to protect your data. Stay vigilant and prioritize your safety while traveling.

Indicators

Type of Indicator Value
Android APK
 8c3d6da8af8a4e0beb1e578d07fbc5527dbb960d6e23e39dadd422e4602ed521
981a5a2c7cb2184ac9715f6ebab0d60e0796f628230f23950809a34f5639b9f4
2756a9b4e4e55f94622caca76e4583eaa8b98b577e5fcef1fd6b32a6333670f8
Domain
 loungepass[.]info
loungepass[.]online
loungepass[.]in

References

Appendix

Viral  post from the X(social media)

Author

CloudSEK TRIAD

CloudSEK Threat Research and Information Analytics Division

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Deep Fake Monitoing
Scam
Threat Intelligence
October 4, 2024

Deepfake Controversy: Scammers Use Deepfakes of Virat Kohli, Anant Ambani to Fraud

CloudSEK’s latest research uncovers a troubling trend involving scammers using deepfake technology to promote fraudulent mobile applications. High-profile individuals, such as Virat Kohli, Anant Ambani, and even international figures like Cristiano Ronaldo and Ryan Reynolds, have been targeted through deepfake videos. These manipulated clips showcase them endorsing a mobile gaming app, luring unsuspecting users into scams. The fraudulent ads leverage the credibility of renowned news channels to enhance their legitimacy, fooling users into downloading harmful applications from fake domains resembling Google Play or Apple App Store. This emerging threat is particularly aimed at the Indian market but extends to other regions like Nigeria, Pakistan, and Southeast Asia. The deceptive gaming apps, designed to siphon money from users, require a minimum deposit, promising quick earnings but leading to significant financial losses. These scams exploit deepfake videos in creative ways to bypass detection, making them even more dangerous. To combat this growing threat, CloudSEK’s Deep Fake Analyzer offers a free solution for the cybersecurity community, helping professionals detect and mitigate the risks posed by manipulated videos, images, and audio. This tool is crucial in safeguarding organizations from deepfake-related scams and fraud. To access the CloudSEK Deep Fake Analyzer, visit https://community.cloudsek.com/

Blog Image
Adversary Intelligence
June 26, 2024

Cybersecurity Threat Advisory: Recent Attacks Targeting Indian BFSI Sector

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

Blog Image
Adversary Intelligence
March 5, 2024

Shadow Banking in Your Pocket: Exposing Android App Used by Money Mules

CloudSEK's Threat Intelligence (TI) team continued its investigation and has uncovered a network of money mules, posing a significant risk to the Indian banking ecosystem.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Scam

14

min read

Uncovering the Lounge Pass Scam Campaign: Targeted Android SMS Stealer Preying on Air Travellers

CloudSEK’s Threat Research Team uncovered a sophisticated scam targeting air travelers at Indian airports. The fraud involves a malicious Android application named Lounge Pass, distributed through fake domains like loungepass.in. This app secretly intercepts and forwards SMS messages from victims’ devices to cybercriminals, resulting in significant financial losses. The investigation revealed that between July and August 2024, over 450 travelers unknowingly installed the fraudulent app, resulting in a reported theft of more than INR 9 lakhs (approx. $11,000). The scammers exploited an exposed Firebase endpoint to store stolen SMS messages. Through domain analysis and passive DNS data, researchers identified several related domains spreading similar APKs. Key recommendations include downloading apps only from official stores, avoiding scanning random QR codes, and never granting SMS access to travel or lounge apps. Travelers should book lounge access through official channels and stay vigilant to protect their personal data. Stay updated on the latest scams and protect your travel data by following these guidelines.

Authors
CloudSEK TRIAD
CloudSEK Threat Research and Information Analytics Division
Co-Authors
No items found.

Executive Summary

CloudSEK's Threat Research Team has uncovered a sophisticated scam targeting air travelers through a fraudulent Android application called 'Lounge Pass'. The investigation began after a viral social media post on X (formerly Twitter) detailed how a woman fell victim to the scam at Bangalore Airport.

Unlike typical SMS stealers that often masquerade as banking or loan applications, this campaign specifically targets airport travelers. The malicious app, once installed, secretly captures and forwards all incoming SMS messages from the victim's device to the scammers.

Through extensive OSINT (Open Source Intelligence) investigation, the research team identified multiple domains associated with the scam across different TLDs. Upon analyzing the reverse-engineered APK, researchers discovered a critical oversight: the scammers had accidentally exposed their Firebase endpoint, which was being used to store all intercepted SMS messages from victims. 

Analysis of the exposed data revealed the devastating scope of this scam: 

  • Between July and August 2024, around 450 unsuspecting travelers had installed the malicious application. 
  • The intercepted SMS messages painted a grim picture, showing that the scammers had successfully stolen over INR 9 lakhs (approximately $11,000) from their victims during this brief period. 
  • This figure likely represents just a portion of the total damages, as it includes only the documented cases linked to the exposed endpoint found in the SMS stealer code during the analyzed time frame.

Similar APKs with the name: LOUNGPASS distributed in this Campaign

Analysis and Attribution

Information from the X Post

Based on the video, we observed that the URL (loungepass.in) for downloading the APK was shared via WhatsApp. Additionally, WhatsApp screenshots revealed the title AIRPORT LOUNGE ACCESS CHECK. Through passive DNS data and hosting similarities, we identified three related domains, which we believe were part of the same campaign, hosting on a the same web server IP address: 154.41.240.248

Domain Name Registrar Created Date Nameserver
loungepass[.]info HOSTINGER operations, UAB 2024-08-12 ns1.dns-parking.com, ns2.dns-parking.com
loungepass[.]online HOSTINGER operations, UAB 2024-03-27 NS2.DNS-PARKING.COM, NS1.DNS-PARKING.COM
loungepass[.]in HOSTINGER operations, UAB 2024-08-12 ns1.dns-parking.com, ns2.dns-parking.com

The malicious domain that distributed the SMS Steale

Information from OSINT

Further investigation using crowd-sourced URL scanner platforms revealed the same URLs had been previously scanned. Interestingly, it appears that someone also scanned the Android application mentioned by the victims in the Twitter video.  This validates our hypothesis regarding the distribution of the APK through these domains and the connections between the other discovered domains.

Malicious APK distributed through these domains, as confirmed by crowdsourced scanner platforms (urlscan.io)

Information from the Reversed SMS Stealer

After reverse engineering the Android SMS stealer LOUNGEPASS.apk (981a5a2c7cb2184ac9715f6ebab0d60e0796f628230f23950809a34f5639b9f4), the permissions in the Manifest file revealed the true intent of the APK. Further analysis uncovered hard-coded secrets and the Firebase Messaging Service URL endpoint, exposing victims' devices and facilitating money theft by exploiting SMS messages exfiltration from the victims' numbers.

Permission taken by the SMS Stealer

Recommendations

  • First and foremost, only download lounge access apps from trusted sources like the Google Play Store or Apple App Store: Always verify that the app publisher's name matches the official company, and take the time to review user feedback and check download numbers before installing any app.
  • Be cautious when encountering QR codes at airports: Avoid scanning random QR codes, as they could lead to malicious downloads or scams. Never download apps via direct APK links that bypass official app stores, and if you're unsure, always ask airport or lounge staff to confirm the legitimacy of any codes.
  • Protect your SMS access by never granting SMS permissions to lounge or travel apps: Be suspicious of any app requesting access to your messages, as legitimate lounge apps don’t need SMS access. This is a crucial step in preventing unauthorized access to your personal information.
  • When booking lounge access, use only official channels such as your bank or credit card benefits: Book through official airport websites or trusted partners. If you have any doubts, booking directly at the lounge counter is always a safe option.
  • Lastly, it’s important to monitor your accounts regularly while traveling: Enable banking alerts for any transactions and check your accounts frequently to ensure there’s no suspicious activity. If you notice anything unusual, report it to your bank immediately.
  • If you have recently installed any lounge-related apps, review their permissions and remove any that seem suspicious to protect your data. Stay vigilant and prioritize your safety while traveling.

Indicators

Type of Indicator Value
Android APK
 8c3d6da8af8a4e0beb1e578d07fbc5527dbb960d6e23e39dadd422e4602ed521
981a5a2c7cb2184ac9715f6ebab0d60e0796f628230f23950809a34f5639b9f4
2756a9b4e4e55f94622caca76e4583eaa8b98b577e5fcef1fd6b32a6333670f8
Domain
 loungepass[.]info
loungepass[.]online
loungepass[.]in

References

Appendix

Viral  post from the X(social media)