A new Android malware named Mirax is emerging as a significant threat, converting infected smartphones into residential proxy nodes. Discovered circulating in underground criminal forums since late 2025, Mirax combines the ability to steal banking credentials with the capability to reroute malicious traffic through a victim’s legitimate IP address. This dual functionality represents a notable evolution in mobile malware tactics, allowing attackers to operate with increased anonymity and evade detection.
Researchers at Cleafy have been actively tracking Mirax since March 2026, noting its initial appearance on underground forums on December 19, 2025. The malware is being offered as a Malware-as-a-Service (MaaS) and is intentionally limited to a select group of trusted, primarily Russian-speaking affiliates. This controlled distribution strategy appears designed to prolong the malware’s operational lifespan and reduce the likelihood of early discovery by cybersecurity researchers.
Mirax Threat: A Sophisticated Android RAT
The Mirax Android RAT (Remote Access Trojan) has rapidly expanded its reach, with initial campaigns already impacting over 200,000 accounts. These campaigns have been heavily promoted through paid advertisements on Meta platforms like Facebook and Instagram, targeting Spanish-speaking users predominantly. The aggressive deployment within a short timeframe underscores the operators’ intent to quickly establish a user base for the new tool. The success of these advertisements highlights the effectiveness of social engineering in distributing mobile malware.
The infection chain begins with users encountering enticing social media advertisements that lead them to phishing websites. These sites often impersonate legitimate IPTV or illegal sports streaming services. Since such applications are typically not available on the official Google Play Store, users are already accustomed to sideloading applications from external sources, making them more susceptible to this type of social engineering tactic. The malware’s dropper files are hosted on GitHub’s Releases page and are updated daily with new package hashes to circumvent hash-based detection methods, even though the core functionality of the application remains unchanged.
Upon installation, the Mirax malware disguises itself as a legitimate video playback utility. It then prompts the user to grant Accessibility Services permissions. Once granted, the malware operates discreetly in the background while displaying a fake error message to the user, creating the illusion that the installation process failed. This technique helps to obscure the malicious activity and prevent immediate suspicion.
The Alarming Residential Proxy Mechanism
A particularly concerning feature of Mirax is its integrated residential proxy functionality. This capability extends far beyond that of a typical banking trojan. The malware utilizes the SOCKS5 protocol and Yamux multiplexing over WebSocket channels to establish a covert proxy tunnel between the infected smartphone and a relay server controlled by the attackers. This allows threat actors to route their internet traffic through the victim’s genuine residential IP address, effectively masking the origin of their malicious activities.
The implications of this functionality are significant. By leveraging a victim’s real IP address, attackers can bypass geolocation restrictions, circumvent fraud detection systems, and execute various illicit activities. This includes account takeovers, financial transaction fraud, and password spraying attacks, all while appearing to originate from an ordinary home user. Financial institutions and online platforms that rely on IP address-based fraud prevention measures are particularly vulnerable to this advanced technique.
Furthermore, Cleafy researchers observed that even if users deny the Accessibility Services request, Mirax can still activate its proxy module with a reduced set of permissions. This indicates a robust and adaptable monetization strategy embedded within the malware’s design, ensuring that compromised devices can still be leveraged for profit even in cases of incomplete permissions granting. This adaptability poses a continuous challenge for mobile security.
Mitigating the Mirax Threat
The ongoing evolution of mobile malware like Mirax underscores the importance of user vigilance. Android users are strongly advised to exercise caution and avoid downloading applications from sources outside the official Google Play Store, particularly those promoted through unsolicited social media advertisements. Regular review of application permissions, specifically Accessibility Services, and revoking access for any unrecognized applications can also serve as a crucial detection mechanism to prevent significant damage.
The cybersecurity community will continue to monitor the development and deployment of Mirax and similar sophisticated Android threats. Further analysis of attacker infrastructure and affiliate networks is expected to provide deeper insights into the operational scope and future targets of this evolving threat. Efforts to identify and disrupt the MaaS platform itself remain a key focus for security researchers and law enforcement agencies.