Mirax Android RAT Converts Infected Phones into Residential Proxy Nodes
Key Takeaways Mirax, a novel Android Remote Access Trojan (RAT), has been observed in underground forums since late 2025. The malware not only steals banking credentials but also transforms infected...
Key Takeaways
- Mirax, a novel Android Remote Access Trojan (RAT), has been observed in underground forums since late 2025.
- The malware not only steals banking credentials but also transforms infected Android devices into residential proxy nodes, allowing attackers to route malicious traffic through legitimate user IP addresses.
- Distributed as a Malware-as-a-Service (MaaS) to a restricted group of primarily Russian-speaking affiliates, Mirax campaigns have already reached over 200,000 accounts via paid Meta advertisements.
- The infection chain typically begins with social media ads leading to phishing sites that mimic streaming services, tricking users into sideloading the malware.
- The residential proxy functionality enables attackers to bypass geolocation, evade fraud detection, and execute various attacks appearing as regular home users.
Mirax Android RAT: A New Threat Turning Phones into Proxy Nodes
A sophisticated Android Remote Access Trojan (RAT) named Mirax has emerged in cybercriminal circles, posing a significant threat to mobile users across Europe and beyond. First documented in late 2025, this malware distinguishes itself from typical banking trojans by its dual functionality: it is designed to exfiltrate banking credentials while simultaneously converting compromised smartphones into residential proxy nodes. This innovative approach allows threat actors to route illicit network traffic through a victim’s legitimate IP address, significantly complicating detection and attribution, as detailed in a recent analysis.
Table Of Content
The development marks a notable evolution in mobile malware design and monetization strategies. Rather than solely focusing on direct financial theft, Mirax creates an infrastructure for further malicious activities, leveraging the victim’s device and internet connection.
Malware-as-a-Service and Controlled Distribution
Mirax operates as a Malware-as-a-Service (MaaS) offering, rented to a select group of criminal affiliates who launch independent campaigns. Unusually for open-market MaaS tools, access to Mirax is highly restricted, with preference given to trusted Russian-speaking actors within the cybercrime underground. This controlled distribution strategy suggests an intentional effort by the developers to maintain a low profile, thereby prolonging the malware’s operational lifespan and reducing the likelihood of early discovery by cybersecurity researchers.
Researchers at Cleafy began actively tracking Mirax in March 2026, after identifying multiple campaigns targeting Spanish-speaking users. Their investigation traced the malware’s initial appearance on underground forums back to December 19, 2025. Alarmingly, campaigns leveraging Mirax had already reached over 200,000 accounts through paid advertisements on Meta platforms, including Facebook and Instagram, demonstrating the rapid and aggressive deployment by its operators.
Infection Vector and Stealth Mechanisms
The infection process typically commences with deceptive social media advertisements. These ads lure potential victims to phishing websites that impersonate popular IPTV or illicit sports streaming services. Since such applications are not available on the Google Play Store, users are often predisposed to sideloading apps from unofficial sources, making them more susceptible to this social engineering tactic.
The dropper files for Mirax are hosted on GitHub’s Releases page. To evade hash-based detection tools, these files are updated daily with new package hashes, even though the underlying application content remains unchanged. Once downloaded and installed, the dropper silently decrypts and delivers the final malware payload onto the device.
Following installation, Mirax masquerades as a video playback utility and immediately requests Accessibility Services permissions. Upon receiving these critical permissions, the malware operates stealthily in the background. To further obscure its presence, it displays a fake error page to the user, creating the impression that the installation failed to complete, thus deterring suspicion.
The Residential Proxy Mechanism
One of Mirax’s most concerning features is its integrated residential proxy capability, a functionality that significantly expands its utility beyond conventional banking trojans. The malware establishes a persistent proxy tunnel between the infected device and an attacker-controlled relay server, utilizing the SOCKS5 protocol and Yamux multiplexing over WebSocket channels.
This sophisticated mechanism allows threat actors to route their internet traffic through the victim’s genuine residential IP address. From the perspective of target systems, this traffic appears to originate from an ordinary home user, rather than from known malicious infrastructure.
The implications of this proxy functionality are substantial. Attackers can leverage compromised devices to bypass geolocation restrictions, circumvent anti-fraud systems, and conduct various illicit activities such as account takeovers, fraudulent transactions, and password spraying. Financial institutions and online platforms that rely on IP-based fraud detection are particularly vulnerable to this method. Cleafy researchers also highlighted that Mirax’s proxy module can activate even if the user denies Accessibility Services, albeit with reduced functionality. This design choice underscores a sophisticated monetization strategy, ensuring that attackers can still derive value from partially compromised devices.
What You Should Do
- Avoid Sideloading Apps: Refrain from downloading and installing applications from unofficial sources, especially those advertised on social media platforms. Always use the official Google Play Store for Android app downloads.
- Exercise Caution with Social Media Ads: Be highly skeptical of advertisements on Facebook, Instagram, or other social media sites promoting “free” streaming services or other enticing but unusual offers.
- Review App Permissions: Regularly check the permissions granted to applications on your Android device, particularly “Accessibility Services.” Revoke permissions for any unfamiliar or suspicious apps.
- Use Reputable Antivirus Software: Install and maintain up-to-date mobile antivirus or security software on your Android device to detect and prevent malware infections.
- Keep Software Updated: Ensure your Android operating system and all installed applications are regularly updated to patch known vulnerabilities.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.