Emerging Android Malware ‘Mirax’ Transforms Infected Devices into Residential Proxy Nodes
A newly identified Android malware, known as Mirax, has been circulating in underground cybercriminal forums since late 2025, posing a significant threat to mobile users, particularly in Europe. Unlike conventional banking trojans, Mirax not only steals banking credentials but also converts infected devices into residential proxy nodes. This dual functionality allows attackers to route malicious traffic through victims’ legitimate IP addresses, complicating detection efforts.
Malware-as-a-Service Model
Mirax operates under a Malware-as-a-Service (MaaS) model, rented out to a select group of criminal affiliates. Access is intentionally restricted to trusted, primarily Russian-speaking actors within underground cybercrime communities. This controlled distribution aims to prolong the malware’s undetected operation.
Discovery and Distribution
Researchers from Cleafy began tracking Mirax in March 2026 after identifying multiple campaigns targeting Spanish-speaking users. The malware first appeared on underground forums on December 19, 2025, and by early 2026, had reached over 200,000 accounts through paid advertisements on platforms like Facebook and Instagram. This rapid dissemination underscores the aggressive tactics employed by its operators.
Infection Process
The infection chain starts with social media advertisements leading users to phishing websites masquerading as IPTV or illegal sports streaming services. Given that such applications are typically unavailable on official app stores, users are more inclined to sideload apps from external sources, facilitating the malware’s spread. The dropper files are hosted on GitHub’s Releases page and are updated daily with new package hashes to evade detection tools, despite the application’s content remaining unchanged. Once installed, the dropper decrypts and delivers the final malware payload onto the device.
After installation, Mirax disguises itself as a video playback utility and prompts the user to enable Accessibility Services. Upon granting this permission, the malware operates in the background, displaying a fake error page to the user to suggest that the installation was unsuccessful.
Residential Proxy Mechanism
A particularly concerning feature of Mirax is its embedded residential proxy capability. Utilizing the SOCKS5 protocol and Yamux multiplexing over WebSocket channels, the malware establishes a persistent proxy tunnel between the infected device and a relay server controlled by the attackers. This setup allows cybercriminals to route their internet activity through the victim’s residential IP address, making malicious traffic appear as though it originates from a legitimate home user.
The implications are significant. By leveraging a victim’s residential IP, attackers can bypass geolocation restrictions, evade fraud detection systems, and conduct activities such as account takeovers with reduced risk of detection.
Advanced Capabilities
Beyond its proxy functionality, Mirax boasts several advanced features:
– Hidden Virtual Network Computing (HVNC): This allows attackers to remotely control infected devices without the user’s knowledge, enabling actions like initiating fund transfers or extracting sensitive data.
– Extensive Application Injects: With support for over 700 application injects, Mirax can overlay fake screens on legitimate banking and payment apps, tricking users into entering credentials that are then captured by the attackers.
– Credential Theft and Remote Control: The combination of HVNC and application injects facilitates large-scale account takeover operations and financial fraud.
Implications for Users and Financial Institutions
The emergence of Mirax underscores the evolving sophistication of mobile malware. By transforming infected devices into residential proxy nodes, attackers can conduct malicious activities that are harder to trace and block. This development poses significant challenges for both individual users and financial institutions, as traditional security measures may be less effective against such advanced threats.
Protective Measures
To mitigate the risk posed by Mirax and similar malware:
– Exercise Caution with App Downloads: Avoid downloading apps from unofficial sources or clicking on links from untrusted advertisements.
– Verify App Permissions: Be wary of apps requesting excessive permissions, especially those related to Accessibility Services.
– Keep Devices Updated: Regularly update your device’s operating system and applications to patch known vulnerabilities.
– Use Security Solutions: Employ reputable mobile security software to detect and prevent malware infections.
Staying informed about emerging threats and adopting proactive security practices are essential steps in safeguarding against sophisticated malware like Mirax.
