📌 Quick Summary (Featured Snippet)
- Mirax is a new Android RAT (Remote Access Trojan)
- Steals banking credentials and personal data
- Turns infected phones into residential proxy nodes
- Distributed via social media ads and phishing sites
- Over 200,000 users targeted in early campaigns
⚠️ What Makes Mirax Different?
Mirax stands out because it has dual functionality:
👉 It steals sensitive data (like banking credentials)
👉 It converts infected devices into proxy servers
This means attackers can:
- Route malicious traffic through victims’ real IP addresses
- Hide their identity behind legitimate residential networks
💻 Malware-as-a-Service (MaaS) Model
Mirax operates as a Malware-as-a-Service (MaaS) platform:
- Access is restricted to selected cybercriminals
- Mainly distributed in Russian-speaking underground communities
- Designed to stay undetected for longer periods
👉 This controlled access makes the malware more dangerous and harder to track.
📊 Massive Campaign via Social Media
Security researchers from Cleafy discovered Mirax campaigns targeting users via:
- Facebook and Instagram ads
- Fake IPTV and illegal streaming platforms
👉 These campaigns reportedly reached over 200,000 users in a short time.
🧠 How the Attack Works
The infection chain is highly deceptive:
- User clicks on a social media ad
- Redirected to a fake streaming/phishing site
- Downloads an app outside official stores
- Installs a dropper hosted on GitHub
- Malware payload is silently deployed
👉 The app then disguises itself as a video player.
🔐 Abuse of Accessibility Permissions
After installation, Mirax requests:
👉 Accessibility Services permission
If granted:
- Malware runs silently in the background
- Displays fake error messages
- Gains deep control over the device
Even if denied:
👉 The proxy feature can still activate with limited permissions
🌐 Residential Proxy Feature Explained
One of Mirax’s most dangerous capabilities is its built-in proxy system:
- Uses SOCKS5 protocol
- Establishes encrypted tunnels via WebSocket
- Routes attacker traffic through victim’s IP
👉 This allows attackers to:
- Bypass geo-restrictions
- Evade fraud detection systems
- Perform account takeovers and financial fraud
🚨 Why This Is a Big Deal
Using real residential IPs makes attacks:
- Harder to detect
- More trustworthy to security systems
- More effective in financial fraud scenarios
👉 Banks and platforms relying on IP-based security are especially vulnerable.
🛡️ How to Stay Safe
To protect your device:
- Only download apps from official stores (Google Play)
- Avoid apps promoted via social media ads
- Regularly review Accessibility permissions
- Remove unknown or suspicious apps immediately
🔎 Final Thoughts
Mirax represents a new evolution in mobile malware. By combining data theft with proxy abuse, it creates a powerful monetization model for cybercriminals. As attacks become more sophisticated, user awareness and cautious behavior are more important than ever.