Android Trojan Mirax Creates Residential Proxy Network
▼ Summary
– The Mirax Android banking trojan is spreading in Europe, using remote access and residential proxy capabilities to increase its impact.
– It targets Spanish-speaking users via social media ads, reaching over 200,000 accounts by promoting illegal streaming apps.
– The malware operates under a restricted Malware-as-a-Service model, allowing full device control, dynamic fake overlays, and surveillance like keylogging.
– A key feature is its ability to turn infected devices into proxy nodes, letting attackers bypass security with legitimate IP addresses.
– Its distribution relies on social engineering, with malware hosted on GitHub and multi-stage installation to evade detection.
A sophisticated new Android banking trojan is actively targeting users across Europe, merging remote access functionality with a residential proxy network to amplify its threat. Identified as Mirax, this malware has already impacted over 200,000 accounts, primarily targeting Spanish-speaking individuals through deceptive social media advertisements. Security analysts at Cleafy highlight that Mirax signifies a strategic shift in mobile malware development, operating under a restricted Malware-as-a-Service model to enhance security and effectiveness for a select group of affiliates.
The trojan grants attackers comprehensive real-time control over compromised devices. Capabilities include executing remote commands, monitoring user activity, and dynamically deploying fake overlays on legitimate banking or streaming apps to harvest login credentials and financial data. These overlays are pulled directly from command-and-control servers, making them difficult for traditional security software to detect. Furthermore, Mirax incorporates extensive surveillance features like continuous keylogging and the collection of lock screen details, including PIN patterns and biometric usage, allowing for the stealthy theft of sensitive personal information.
Social engineering forms the core of its distribution strategy. Malicious campaigns promote illegal streaming or IPTV applications through ads on major platforms, luring users to download and install software from unofficial sources. The infection chain involves several calculated steps: social media ads cast a wide net, fake streaming apps serve as droppers, malware payloads are frequently updated on platforms like GitHub, and built-in device checks help evade automated analysis environments. Upon installation, Mirax executes a multi-stage process, decrypting hidden components and establishing persistent communication with operators via WebSockets for remote data extraction and control.
A particularly concerning aspect of Mirax is its residential proxy capability. Once a device is infected, it can be transformed into a proxy node, routing malicious traffic through a legitimate residential IP address. This allows attackers to bypass geographic content restrictions, evade fraud detection systems, and mask their activities. This functionality expands the malware’s utility far beyond simple financial theft, enabling its use as infrastructure for broader criminal operations like account takeovers and anonymized network attacks.
Cleafy’s analysis suggests Mirax reflects the ongoing evolution of mobile threats toward more modular and commercially structured tools. While current campaigns are concentrated in Spain, the malware’s adaptable framework and proxy network potential indicate its operational reach will likely grow as its developers refine their tactics.
(Source: Infosecurity Magazine)
