A new Android banking malware termed “Mirax Bot” has been advertised on underground cybercriminal forums, promoting its advanced capabilities for financial fraud. This sophisticated malware-as-a-service (MaaS) is being offered with structured rental tiers, significantly lowering the entry barrier for cybercriminals to engage in large-scale banking fraud against Android users globally. The emergence of Mirax Bot signifies a concerning trend in mobile cybercrime, where potent attack tools are increasingly commoditized.
The threat actor is actively marketing Mirax Bot on ExploitForum, a well-known marketplace for illicit cyber tools and services. According to the advertisements, the malware supports over 700 application injects and facilitates Hidden Virtual Network Computing (HVNC). These features aim to enable attackers to steal user credentials and gain remote control of infected devices covertly. Pricing for the service is structured into rental packages, with a 30-day LIGHT tier costing $1,750 and a 14-day option at $1,000. An additional APK Loader add-on is available for $500.
Mirax Bot’s Advanced Features and Financial Fraud Capabilities
Researchers at KrakenLabs identified and flagged Mirax Bot on March 5, 2026, after observing its promotion across various underground platforms. The malware’s advertised feature set is designed specifically to support account takeover (ATO) operations and financial fraud. It combines credential capture with real-time remote device interaction and the ability to act as a residential proxy through compromised Android handsets. It is important to note that all capabilities listed in the advertisement are claims made by the seller and have not been independently verified at this stage by researchers.
One of the most concerning aspects of Mirax Bot is its ability to route attacker traffic through the victim’s own network connection. This effectively transforms the infected device into a residential proxy, a tactic often used to bypass fraud detection systems employed by financial institutions and payment providers. When malicious activity appears to originate from a legitimate user’s device and IP address, it becomes significantly more challenging for security mechanisms to flag it as suspicious in real time.
HVNC and Inject-Based Credential Theft Mechanisms
The core technical functionalities that make Mirax Bot a severe threat are its Hidden Virtual Network Computing (HVNC) capability and its extensive library of over 700 targeted application injects. HVNC allows attackers to remotely and silently control an infected Android device without any visible indication to the user. This enables them to initiate actions such as opening applications, executing fund transfers, approving transactions, and extracting sensitive data through a hidden, parallel session, making unauthorized activity virtually undetectable by the device owner.
The inject library works in tandem with HVNC by presenting fake, yet highly convincing, overlay screens on top of legitimate banking and payment applications when a user opens them. These fraudulent interfaces are designed to mimic the genuine app design, effectively tricking users into entering their login credentials, one-time passwords, or other sensitive payment details. Once entered, this information is silently captured and transmitted to the attacker. With claimed support for over 700 applications encompassing banks, cryptocurrency wallets, and various payment services, Mirax Bot possesses the potential to impact a wide range of users across numerous countries and financial platforms simultaneously.
To mitigate risks associated with malware like Mirax Bot, Android users are strongly advised to exclusively install applications from the official Google Play Store and avoid downloading APKs from unverified or untrusted external sources. Maintaining active Google Play Protect, carefully reviewing app permission requests, and utilizing mobile security solutions with behavioral detection capabilities are crucial protective measures. Financial institutions should enhance their security by prioritizing device-binding authentication and investing in fraud detection systems that analyze user behavioral patterns, rather than relying solely on IP address verification.