Mirax: Android Trojan Turns Smartphones into Proxies for Scammers
The new Mirax malware for Android not only steals data and provides remote access but also uses infected devices as proxy nodes. This allows attackers to mask traffic and expand their attack infrastructure, increasing the effectiveness of fraud schemes.
Distribution and Threat Masking
Mirax spreads through phishing APK files disguised as IPTV, video streaming, IoT device, and entertainment software applications. Ads appear on Meta platforms, targeting users in Spanish-speaking regions. Campaigns cover hundreds of thousands of accounts, verifying mobile devices before issuing links to GitHub Releases.
Access to the platform is restricted to verified partners from Russian-speaking communities, minimizing exposure risks. This model reduces the likelihood of leaks and extends the threat lifecycle.
Malware Functionality
After installation, Mirax provides operators full control:
- Screen viewing and management;
- App launching;
- SMS collection, clipboard data;
- Lock screen information, including PIN, graphic key, and biometrics.
To steal credentials, HTML overlays are loaded over banking and crypto applications. This is a standard banking trojan technique, but Mirax stands out with additional capabilities.
Unique Proxy Function
The key innovation is the integration of SOCKS5 and Yamux to turn the device into a resident proxy. Attackers route traffic through the victim's IP, bypassing geoblocks and antifraud systems.
This scheme expands the use of infected smartphones beyond direct fraud. Devices integrate into botnets for DDoS, scanning, or other operations, increasing the profitability of each infection.
What Matters
- Mirax evolves Android threats, combining surveillance, data theft, and proxy functions in one package;
- Campaign reach exceeds 200 thousand accounts in Latin America;
- Limited platform access enhances operational secrecy;
- Proxy nodes reduce detection and expand attack scenarios;
- Growth of such threats signals a shift toward infrastructure attacks.
Context and Consequences
Previously, proxy botnets were associated with IoT and cheap gadgets. Now, full-fledged trojans like Mirax bring this model to premium smartphones, increasing scale and profitability. Reasons for success lie in the combination of social engineering via ads and technical maturity.
Consequences for users include loss of control over devices and finances, plus risks to banking systems. The industry faces the need to strengthen mobile protection, including behavioral analysis and overlay blocking. Meta regulators are already responding to phishing ads, but complete eradication requires cross-platform cooperation.
Globally, this reflects a trend toward monetizing infections through infrastructure. According to analysts, similar trojans could double cybercriminal profits due to multifunctionality.
— Editorial Team
No comments yet.