14.04.2026
3 min
236
A new Android Trojan, Mirax, is actively spreading through social media advertising and has already reached over 200,000 users. The malware gives attackers full control over the device and turns it into a proxy node for attacks, masking traffic with the victims’ real IP addresses.
Mirax is a remote access Trojan for Android that has gained traction very quickly; however, it has been and continues to be aggressively targeting Spanish speaking users. It appears that distribution campaigns were used by Mirax to infect nearly 223,000 user accounts across multiple platforms including Facebook, Instagram, Messenger, and Threads all utilizing the Meta advertising platform.
Cleafy (an Italian company dedicated to fighting against fraudulent activity online), indicates Mirax grants attackers total control over the infected device in real-time. As indicated by Cleafy, Mirax is a full-featured Remote Access Trojan (RAT) that enables attackers to both collect information as well as interact directly with the victim’s smartphone.
However, this capability does not stop there. Infected devices are further converted into what are referred to as “residential” proxies. Due to the inclusion of SOCKS5 and Yamux multiplxer technology within Mirax, attackers are able to create reliable proxy channels. These channels then enable attackers to reroute their traffic utilizing the victims true IP address, thus making attack detection much more difficult.
The first report of Mirax occurred last month when Outpost24 (KrakenLabs) identified a new MaaS model promoting MiraxBot in underground forums. For $2500 over a period of three months, buyers will receive full access to the malware. However, buyers who choose the less expensive option ($1750) will lose some features, specifically those related to creating proxies and methods of circumventing Google Play Protect through use of a cryptographer.
In terms of functionality, Mirax looks like a typical Android malware, but with an expanded set of capabilities. It can:
intercept keystrokes
steal photos
collect data from the lock screen
execute remote commands
control the device interface
monitor user activity
It’s also worth mentioning a separate aspect of the data theft mechanisms. The Trojan uses pages received from the C2 server to overlay on legitimate application interfaces so the user sees a phishing form as if it was the interface for the application.
Built-in proxy functionality (in addition to other aspects) provides a significant benefit because users can circumvent geo-location restrictions, avoid anti-fraud systems and use the Mirax as if they were sending clean traffic while conducting attacks. This creates a potential for account hijacking and financial scams based upon a greater amount of trust.
Another item researchers note is that unlike many other MaaS type platforms, Mirax does not distribute its solution through mass advertising; rather, it utilizes a closed platform model. Access is granted to affiliate participants who have been vetted by the company and preference is given to Russian speaking users with reputations on underground forums. This appears to be an effort by Mirax to keep control over their activities and prevent leaks.
There are six advertisements discovered by researchers which advertised “droppers” for various Mirax applications. These advertisements were placed in Meta Advertising and directed users to sites that hosted the “droppers”. There were five different advertisements targeting users in Spain. A sixth advertisement was launched on April 6, 2026 and appeared in front of nearly 190,000 accounts.
To complicate analysis, dropper sites check whether the user is accessing from a mobile device and block automatic scanners. The applications themselves are disguised as regular services.
For example:
StreamTV – acts as a dropper
“Video Player” – already contains Mirax itself
VirBox and Golden Crypt cryptors are additionally being employed for the purpose of complicating the analysis and detection. Following this an extensive multistage download process of the primary malicious malware is initiated; this was created with the sole intention of circumventing the detection by sandbox tools or other forms of security software.
Mirax then runs in the backround, displays false errors to the user, and overlays its own interface on top of the users actual apps. In order for Mirax to function properly it first must be granted permission to run as a service for accessibility.
Several channels are used to communicate with the control servers:
port 8443 – remote control and command execution
port 8444 – data transfer and streaming
port 8445 – proxy lifting via SOCKS5
The new level of threat development according to Cleafy (the integration of RAT functionality and proxies) was previously most commonly associated with low cost android phones or IOT devices; today we have a full fledged banking trojan that includes an extended infrastructure for attackers to both steal money from their victims, but also utilize compromised devices as a node in a larger cyber criminal network.
With regard to the current campaign that is utilizing this attack vector, another threat has emerged. Breakglass Intelligence has recently reported about the Android Malware known as ASO RAT, that is being spread via applications disguising themselves as PDF Readers and/or Services of the Syrian Government
This platform has a full range of capabilities for compromising the device:
SMS interception
camera access
GPS tracking
call recording
file extraction
even launching DDoS attacks
Analysts also note that the system has a multi-user panel with role distribution, which indicates a RAT-as-a-Service model or the work of an entire team of operators.
The ultimate goals of this campaign remain unclear. However, the use of Syrian-themed applications hints at a possible focus on people associated with military or government structures. It is likely that this is a surveillance operation.
