A newly discovered Android malware called Mirax has been quietly circulating in underground criminal forums since late 2025, posing a growing threat to mobile users across Europe and beyond.
What sets it apart from typical banking trojans is its dual purpose: it steals banking credentials while simultaneously converting infected phones into residential proxy nodes, giving attackers a way to route malicious traffic through a victim’s legitimate IP address.
This combination of capabilities marks a meaningful evolution in how mobile malware is built and monetized.
Mirax functions as a Malware-as-a-Service (MaaS) offering, rented out to criminal affiliates who run independent campaigns using a shared platform.
Unlike most open-market MaaS tools, access is intentionally limited to a small number of trusted affiliates, with preference given to Russian-speaking actors known within underground cybercrime communities.
This controlled distribution appears designed to keep the malware operating quietly for as long as possible, reducing the chances of early discovery by security researchers.
Cleafy researchers identified and actively tracked Mirax from March 2026 onward, after detecting multiple campaigns that were directed at Spanish-speaking users.
Their investigation revealed that the malware had first appeared on underground forums on December 19, 2025, with campaigns already reaching over 200,000 accounts through paid Meta advertisements across Facebook and Instagram.
.webp)
The scale of the operation within such a short timeframe highlights how aggressively the operators moved to push the new tool.
The infection begins with a social media advertisement that leads victims to a phishing website posing as an IPTV or illegal sports streaming service.
.webp)
Since these types of applications are not available on the Google Play Store, users are already comfortable sideloading apps from outside official channels, which makes the social engineering far easier to execute.
The dropper files are hosted on GitHub’s Releases page and updated daily with fresh package hashes to avoid hash-based detection tools, even though the application’s actual content remains unchanged between those updates. Once installed, the dropper silently decrypts and delivers the final malware payload directly onto the device.
After completing installation, the malware disguises itself as a video playback utility and immediately prompts the user to enable Accessibility Services.
Once that permission is granted, it runs entirely in the background while displaying a fake error page to the user, making it appear as though the installation had never completed.
The Residential Proxy Mechanism
One of Mirax’s most alarming capabilities is its embedded residential proxy feature, which goes far beyond what a standard banking trojan typically offers.
Using the SOCKS5 protocol and Yamux multiplexing over WebSocket channels, the malware creates a persistent proxy tunnel between the infected phone and a relay server controlled by the attackers.
.webp)
This lets operators route their internet activity through the victim’s real residential IP address, making it appear as though the traffic is coming from an ordinary home user rather than a criminal infrastructure.
The practical impact of this is significant. With access to a victim’s residential IP address, attackers can bypass geolocation restrictions, evade fraud detection systems, and carry out attacks such as account takeovers, transaction fraud, and password spraying — all while looking like a regular home user rather than a known bad actor. Banks and platforms that rely on IP-based fraud checks are particularly exposed to this approach.
Cleafy researchers also noted that even when victims denied the Accessibility Services request, the malware could still activate its proxy module using fewer permissions, meaning operators could extract value from incomplete infections rather than abandoning those devices.
This signals a mature and deliberate monetization strategy built into the malware’s design. Android users are strongly advised to avoid downloading apps from outside the Google Play Store, especially those advertised on social media.
Periodically reviewing which apps have been granted Accessibility Services and revoking permissions for anything unrecognized can also help detect a compromise before significant damage occurs.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
