Shadow Networks: How Mirax Turns Your Android into a Criminal Proxy

It starts with a simple ad for free streaming, just another too-good-to-be-true offer on your social feed. But behind the glossy veneer lurks Mirax, a sophisticated Android Remote Access Trojan (RAT) now reshaping the mobile threat landscape. For the unsuspecting, a click spells more than just lost credentials - it means their phone could become a silent workhorse for criminal operations worldwide.

Mirax first surfaced in late 2025, but it’s already making waves among cybercriminals as a “private” Malware-as-a-Service (MaaS). Unlike commodity malware, Mirax is sold only to a select group of trusted, mostly Russian-speaking affiliates, who pay top dollar for access to its constantly evolving toolkit. The software’s commercial structure rivals that of legitimate enterprise apps, with tiered plans, extensive documentation, and regular feature updates.

Once installed - often through a phishing page disguised as an IPTV or sports streaming service - Mirax springs into action. It abuses Android’s Accessibility Services to gain deep control, capturing screens and keystrokes with surgical precision. The malware overlays fake HTML and JavaScript login screens on top of real banking and crypto apps, tricking users into handing over credentials, PINs, and one-time passwords. At the same time, it quietly logs everything from biometric unlock patterns to the length of your PIN code.

The real game-changer, however, is Mirax’s built-in SOCKS5 proxy module. By tunneling attacker traffic through victims’ phones using sophisticated multiplexing techniques, Mirax enables criminals to bypass geolocation checks and blend seamlessly into legitimate network flows. Even if the malware fails to seize full control, it can still profit - turning partially infected devices into valuable proxy nodes for password attacks, account takeovers, and more.

Distribution is as polished as the payload. Mirax operators use Meta’s ad network to lure users, then host their droppers on GitHub, where they frequently update malicious APKs to dodge detection. The dropper apps hide the final implant deep within encrypted assets, using commercial packers and layered obfuscation to resist analysis. After installation, Mirax masquerades as a harmless video player, requesting dangerous permissions and running unseen behind fake error messages.

This convergence of RAT, spyware, and proxy tech marks a new era in Android threats. Smartphones are no longer just targets - they’re infrastructure for global cybercrime. As Mirax’s tactics spread, security teams must rethink mobile defenses and educate users about the perils of sideloading from untrusted ads.

Mirax’s rise signals a chilling future: your phone could be working for cybercriminals, and you’d never know. In a world where every device is a potential asset for attackers, vigilance is no longer optional - it’s essential.

WIKICROOK

• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
• SOCKS5 Proxy: A SOCKS5 proxy routes your internet traffic through a remote server, hiding your IP address and enhancing online privacy and access flexibility.
• Accessibility Services: Accessibility Services are Android features that help users with disabilities, but can be misused by malware to control devices or steal data.
• Dropper: A dropper is a type of malware that secretly installs additional malicious programs on an infected device, helping attackers bypass security measures.