The Android threat landscape continues to evolve rapidly, and a newly discovered malware family named Mirax is a strong indicator of where things are heading. Emerging in late 2025 and actively tracked in 2026, Mirax is not just another banking trojan—it represents a sophisticated convergence of Remote Access Trojan (RAT) capabilities and residential proxy abuse.
This hybrid design significantly increases both its operational power and monetization potential, making it a serious concern for cybersecurity professionals, financial institutions, and everyday users alike.
What Makes Mirax Different?
Unlike traditional Malware-as-a-Service (MaaS) platforms, Mirax follows a restricted distribution model. Access is limited to vetted cybercriminal affiliates—primarily Russian-speaking actors—ensuring tighter operational control and reduced exposure.
From a technical standpoint, Mirax blends:
- Full RAT capabilities
- Banking trojan functionalities
- SOCKS5 residential proxy integration
This combination allows attackers not only to steal sensitive data but also to repurpose infected devices as proxy nodes, masking malicious activity behind legitimate residential IPs.
Infection Chain: How Mirax Spreads
Mirax campaigns rely heavily on social engineering and legitimate platforms for distribution.
Key Distribution Tactics:
- Malicious Ads on Meta Platforms
Attackers use Facebook, Instagram, and similar platforms to lure victims. - Fake IPTV / Streaming Apps
Users are tricked into downloading APKs disguised as illegal streaming apps. - GitHub Abuse
Droppers are hosted on GitHub Releases, with frequent updates to evade detection. - Device Filtering
Delivery sites ensure only mobile users can access payloads, blocking security scanners.
Once installed, the dropper initiates a multi-stage infection process that hides the real payload until execution.
Multi-Stage Payload Delivery
Mirax uses advanced obfuscation and encryption techniques to evade detection:
- Encrypted
.dexpayload hidden in APK assets - Decryption using RC4 cipher with hardcoded keys
- Final payload encrypted via XOR
- Dynamic loading using obfuscated directory structures
This layered approach makes static and dynamic analysis significantly harder.
As described in the original dataset , the malware avoids placing malicious code directly in accessible sections, instead extracting and decrypting it at runtime.
Core Capabilities of Mirax
Once installed and granted permissions (especially Accessibility Services), Mirax gains extensive control over the device.
1. Credential Theft via Overlay Attacks
Mirax injects fake HTML overlays on top of legitimate apps, capturing:
- Banking credentials
- PINs and passwords
- Crypto wallet access
2. Full Remote Control (RAT Features)
Attackers can:
- View and control the screen (VNC-like access)
- Simulate taps, swipes, and navigation
- Launch or block applications
3. Surveillance & Data Exfiltration
The malware can:
- Capture screenshots
- Access camera feeds
- Steal SMS messages
- Extract clipboard data
4. Persistence Mechanisms
Mirax uses:
- Black screen overlays
- Fake update screens
- Anti-uninstall protections
to maintain long-term access.
Game-Changer: Residential Proxy Integration
The most innovative feature of Mirax is its built-in SOCKS5 proxy functionality.
Why This Matters:
- Infected devices act as residential proxy nodes
- Attackers route traffic through real user IP addresses
- Helps bypass fraud detection and geo-restrictions
This turns each infected phone into part of a distributed proxy infrastructure, similar to botnets but far more stealthy.
The malware uses WebSocket-based communication across multiple ports:
/control→ Command execution/data→ Data exfiltration/tunnel→ Proxy traffic
This architecture allows simultaneous control, surveillance, and proxy usage.
Targeting Strategy
Initial campaigns primarily targeted Spanish-speaking users, particularly in Spain. However, Mirax supports multiple languages, indicating plans for global expansion.
The malware dynamically adapts its attack surface:
- Detects installed apps
- Downloads relevant phishing templates
- Targets over 180 applications, including banks and crypto platforms
Abuse of Legitimate Infrastructure
One of the most concerning aspects of Mirax is how effectively it leverages trusted platforms:
- Meta Ads for large-scale reach
- GitHub for payload hosting
- WebSockets for stealthy communication
This reduces operational friction for attackers while increasing campaign success rates.
Security Implications
Mirax represents a shift toward multi-purpose malware ecosystems where:
- A single infection yields multiple revenue streams
- Devices serve both as victims and infrastructure
- Partial infections still retain value (via proxy use)
This significantly raises the stakes for detection and mitigation.
Our Opinion
Mirax is not just another Android malware—it’s a preview of the next generation of cybercrime infrastructure. What makes it particularly dangerous is not just its technical sophistication, but its economic efficiency.
By combining RAT capabilities with residential proxy functionality, attackers maximize the value of each compromised device. Even if a user denies critical permissions like Accessibility Services, the device can still be exploited as part of a proxy network. This “fail-safe monetization” model is a major evolution in malware design.
Equally concerning is the abuse of legitimate ecosystems like Meta and GitHub. These platforms provide scalability, credibility, and resilience—making detection far more difficult. Traditional defenses that rely on identifying suspicious hosting or distribution channels are becoming less effective.
From a defensive standpoint, this means cybersecurity strategies must shift toward behavioral detection, real-time monitoring, and user awareness. The reliance on sideloaded apps—especially in regions where piracy is common—continues to be a major weakness exploited by attackers.
Ultimately, Mirax highlights a critical reality: modern malware is no longer just about stealing data—it’s about building distributed, monetizable ecosystems. And that makes it far more dangerous.
