The Rise of Mirax: A New Android Banking Trojan Threatens Users Worldwide
A recently identified Android banking trojan known as Mirax has begun to make waves in the cybercrime ecosystem, quickly establishing itself as a formidable threat. This malware couples sophisticated remote access features with residential proxy capabilities, transforming compromised devices into high-value infrastructure nodes for cybercriminals. Such a transformation raises significant concerns regarding the security of millions of smartphone users globally.
Unveiling Mirax’s Capabilities
Marketed as a premium Android Remote Access Trojan (RAT) and banking malware, Mirax offers attackers complete and real-time control over infected devices. Its installation triggers a suite of capabilities that include executing various commands, navigating through the device’s user interface via Accessibility Services, capturing screenshots, and monitoring user activity — all without the user’s knowledge. The malware employs dynamic HTML and JavaScript overlays that are fetched on-demand from its command-and-control (C2) server. These overlays are displayed over legitimate banking and cryptocurrency applications, allowing attackers to harvest sensitive credentials, PINs, and one-time passwords with alarming ease.
Recent research conducted by cybersecurity firm Cleafy highlights targeted campaigns that primarily focus on Spanish-speaking users in Europe. These campaigns have reached an astonishing number of over 200,000 accounts through malicious advertisements on Meta platforms, including Facebook, Instagram, Messenger, and Threads. The proliferation of Mirax emphasizes the growing threat posed to unsuspecting users who may inadvertently compromise their security by engaging with fraudulent content.
From Underground Market to Exclusive Club
Mirax first emerged in underground cybercrime forums in December 2025, introduced as part of a tightly controlled Malware-as-a-Service (MaaS) model. Notably, its usage is confined to a select group of trusted affiliates, primarily Russian-speaking individuals who have proven their trustworthiness within this secretive network. Developers of Mirax operate this malware as a "private MaaS," limiting access and offering tiered subscription plans that include various feature sets. This commercial model is reminiscent of enterprise software, marked by a commitment to ongoing feature development and comprehensive documentation.
Beyond its overlay features, Mirax possesses advanced surveillance capabilities. It continuously logs keystrokes across any application, enabling attackers to capture usernames, passwords, and other sensitive data entered anywhere on the device. Additionally, it gathers extensive information about the device’s lock screen configuration, including details such as PIN length and biometric unlocking methods. Such intelligence equips attackers to engage in subsequent fraudulent activities, including bypassing banking app security measures, resetting accounts, or socially engineering victims during customer support interactions.
With features that allow for live remote access and comprehensive screen monitoring, Mirax enables nearly total control of the mobile banking environment. One of its most notable features is the integrated SOCKS5 residential proxy module, which allows infected smartphones to function as proxy endpoints. By employing this technology in conjunction with Yamux multiplexing over WebSocket, Mirax maintains persistent communication channels that route attacker traffic through the victim’s actual IP address. This capability not only helps attackers evades geolocation restrictions but also allows them to blend into legitimate user traffic, rendering traditional fraud detection mechanisms ineffective.
The Mechanism and Distribution of Mirax
Cleafy’s analysis also indicates that Mirax maintains distinct WebSocket channels for command control, data exfiltration, and proxy tunnel operations. Notably, these channels typically operate on non-standard ports, making them less likely to draw attention from security systems. Even if RAT functionalities are partially restricted, the proxy feature can still operate in the background, allowing criminals to derive value from only partially compromised devices for various types of cyberattacks, including account takeovers and broader network exploitation.
Current campaigns utilizing Mirax exploit the popularity of Meta Ads to funnel traffic toward phishing sites masquerading as IPTV or illegal sports streaming services. This method specifically targets users who are already familiar with sideloading Android applications, thus increasing the likelihood of successful infections. The initial APK serves as a dropper and is often updated via GitHub Releases, allowing attackers to push fresh samples while complicating detection efforts.
The dropper cleverly conceals the actual payload within encrypted files, employing complex decryption routines to resist static analysis. Once unpacked, the malware disguises itself as a video player, requesting Accessibility privileges to remain active in the background, often obscuring its activities with fake error messages.
Evolving Threat Landscape
The emergence of Mirax signifies a troubling evolution in the Android banking trojan landscape, transforming simple credential-stealing devices into comprehensive platforms that integrate RAT, spyware, and residential proxy capabilities into a single, powerful tool. By taking advantage of reputable platforms like Meta’s advertising network and GitHub, Mirax enables attackers to monetize infections in various ways while weaponizing everyday smartphones as both targets and infrastructure.
Given the sophistication of Mirax, security teams are encouraged to enhance mobile threat defenses. It is essential to monitor for unusual proxy-like traffic emanating from devices and educate users about heightened risks associated with sideloading apps from social media advertisements, particularly those that promise free streaming or pirated content.
The rapid rise of Mirax serves as a stark reminder of the evolving threats in the digital landscape. As cybercriminals continue to leverage innovation for illicit activities, vigilance and proactive security measures remain critical in safeguarding users from emerging dangers.