A recently identified Android malware known as Mirax has been making waves in underground cybercrime circles since late 2025, posing a significant risk to mobile users across Europe and potentially beyond. Mirax distinguishes itself by not only stealing banking credentials but also converting compromised devices into residential proxy nodes, offering attackers the ability to disguise their malicious activities by routing traffic through a victim’s legitimate IP address.
Unique Dual Functionality
Mirax represents a novel approach in the design and commercialization of mobile malware. Unlike conventional banking trojans, it serves a dual purpose by facilitating unauthorized access to financial information and establishing a proxy network through infected devices. This functionality is indicative of an evolving threat landscape where cybercriminals are finding new ways to circumvent traditional security measures.
Operating as a Malware-as-a-Service (MaaS), Mirax is selectively distributed to a small group of trusted affiliates, primarily those within Russian-speaking cybercriminal communities. This controlled dissemination strategy is intended to prolong the malware’s undetected presence, complicating efforts by cybersecurity researchers to identify and neutralize the threat.
Widespread Impact and Distribution
Since March 2026, researchers from Cleafy have been actively monitoring Mirax, observing its rapid spread among Spanish-speaking users. Their findings indicate the malware debuted on underground forums in December 2025, and by leveraging paid advertisements on platforms like Facebook and Instagram, it has already compromised over 200,000 accounts.
The initial infection typically begins with a social media ad redirecting users to a phishing site masquerading as an IPTV or illicit sports streaming service. This tactic exploits users’ familiarity with sideloading apps from non-official sources, thereby simplifying the social engineering process. The dropper files, hosted on GitHub, are updated daily to evade detection, despite the unchanged nature of the malware payload itself.
Residential Proxy Feature and Security Implications
One of Mirax’s most concerning features is its ability to transform infected phones into residential proxy nodes using the SOCKS5 protocol and Yamux multiplexing over WebSocket channels. This allows cybercriminals to mask their activities by mimicking the traffic patterns of legitimate users, effectively bypassing geolocation restrictions and fraud detection systems.
The malware’s capability to function even when Accessibility Services permissions are denied underscores its sophistication and the intentional monetization strategies deployed by its operators. This aspect of Mirax makes it a formidable threat to financial institutions and other entities reliant on IP-based security checks.
To mitigate the risk of infection, Android users are strongly advised to avoid downloading apps from unofficial sources and to periodically audit app permissions, particularly those related to Accessibility Services. Staying vigilant and informed is crucial in detecting and preventing significant damage from such sophisticated threats.
For more updates, follow us on Google News, LinkedIn, and X, and set CSN as your preferred source on Google.
