A sophisticated scam targeting air travelers in Indian airports has been uncovered, involving a malicious Android app called 'Lounge Pass'. The app, distributed through fake domains, intercepts and forwards SMS messages from victims' devices to cybercriminals, resulting in significant financial losses. Between July and August 2024, over 450 travelers unknowingly installed the fraudulent app, leading to a theft of more than INR 9 lakhs (approx. $11,000). The scammers exploited an exposed Firebase endpoint to store stolen SMS messages. Multiple related domains were identified spreading similar APKs. Key recommendations include downloading apps only from official stores, avoiding random QR code scanning, and never granting SMS access to travel or lounge apps.