Mirax Android Trojan: Hijacking Devices for Proxy Abuse

Cybersecurity researchers have uncovered a new Android banking trojan that goes beyond typical credential theft. Known as Mirax Android Trojan, this malware not only steals sensitive data but also transforms compromised smartphones into residential proxy nodes. This dual functionality marks a significant shift in mobile threat tactics, blending remote access with proxy abuse to amplify the impact of attacks.

According to a detailed report from Cleafy, the malware is currently targeting Spanish-speaking users across Europe. Campaigns have already reached over 200,000 accounts through malicious advertisements on social media platforms. The trojan operates under a restricted Malware-as-a-Service (MaaS) model, limiting access to a small group of affiliates. This controlled distribution strategy helps maintain operational security while maximizing campaign effectiveness.

How the Mirax Android Trojan Spreads

Social engineering lies at the heart of the Mirax distribution chain. Attackers use fake advertisements promoting illegal streaming applications, such as IPTV services, to lure victims. These ads appear on popular social media platforms, directing users to download software from outside official app stores. The malware is hosted on GitHub with frequent updates, making it harder for security tools to track.

Once a user installs the fake app, the trojan executes a multi-stage process. It decrypts hidden payloads and establishes communication channels via WebSockets. These channels allow attackers to remotely control the device and extract data in real time. The malware also includes device checks designed to evade automated analysis, such as sandbox detection.

Remote Access and Surveillance Capabilities

The Mirax Android Trojan enables attackers to fully control infected devices. It can execute commands, monitor user activity, and deploy fake overlays on legitimate banking or social media apps. These overlays are fetched dynamically from command-and-control (C2) servers, making detection particularly challenging for antivirus software.

In addition, the malware integrates surveillance features like continuous keylogging and collection of lock screen details. This includes PIN structure and biometric usage patterns. As a result, attackers can gather credentials and personal information without raising suspicion. This means that even strong passwords or biometric locks offer little protection once a device is compromised.

Residential Proxy Abuse: A New Attack Vector

One of the most defining features of the Mirax Android Trojan is its ability to convert infected devices into residential proxy nodes. Attackers can route malicious traffic through legitimate IP addresses, bypassing geographic restrictions and fraud detection systems. This proxy capability extends the malware’s role beyond financial theft. Compromised devices become infrastructure for broader cybercriminal activities, including account takeovers (ATO) and anonymized network attacks.

Building on this functionality, the trojan allows attackers to launch secondary attacks that appear to originate from trusted residential IPs. This makes it harder for banks and online services to block fraudulent transactions. For a deeper look at proxy abuse in modern malware, check out our analysis of DeadLock Ransomware Using Polygon Smart Contracts for Proxy Rotation.

The Evolution of Mobile Threats

Cleafy’s research highlights that the Mirax Android Trojan reflects a wider evolution in mobile threats. Tools are becoming more modular and commercially structured, with malware authors adopting business-like models. The MaaS approach used by Mirax limits access to vetted affiliates, reducing the risk of exposure while increasing the sophistication of campaigns.

Although current campaigns focus on Spain, analysts warn that the malware’s reach is likely to expand as operators refine their tactics. Similar Android banking trojan trends show that geographic targeting often broadens after initial success. Users should remain vigilant and avoid downloading apps from unverified sources, especially those promoted via social media ads.

To stay protected, always install apps from official stores like Google Play, enable two-factor authentication, and use reputable mobile security software. If you suspect your device is compromised, run a full security scan immediately and change all critical passwords.