Shadow Streams: Android Devices Hijacked as Proxies in Mirax RAT Crimewave

In the ever-shifting arena of mobile cybercrime, a chilling new player has emerged: Mirax. Masquerading as innocent video streaming apps, this sophisticated Android Remote Access Trojan (RAT) has quietly infiltrated hundreds of thousands of devices - primarily across Spanish-speaking countries - by leveraging the reach of Facebook, Instagram, and other Meta platforms. But Mirax isn’t just another data-stealing parasite. It’s converting everyday smartphones into the backbone of a criminal proxy network, enabling hackers to mask their tracks and orchestrate fraud on a global scale.

The Anatomy of a Proxy-Building RAT

First exposed by researchers in early 2024, Mirax is marketed in dark web forums by a threat actor known as “Mirax Bot.” The malware’s defining feature? Once it breaches a victim’s smartphone - often disguised as a streaming or video player app - it doesn’t just steal data. Instead, Mirax silently enlists the device as a residential proxy node, using the SOCKS5 protocol and advanced multiplexing to route criminal traffic through the user’s real IP address. This allows attackers to bypass geographic restrictions, evade fraud detection, and carry out account takeovers or illicit transactions with a cloak of legitimacy.

Unlike run-of-the-mill RATs, Mirax’s distribution is tightly controlled. Its creators limit access to reputable, Russian-speaking cybercriminal affiliates, reducing the risk of detection and maximizing campaign effectiveness. The malware itself is modular: a full-featured version costs $2,500 for three months, while a cheaper, stripped-down variant omits proxy and anti-Play Protect capabilities.

The infection chain is cunning. Meta ads hawk “free” streaming apps, luring users to download malicious APKs from GitHub. These droppers then prompt victims to enable risky settings, such as installing from unknown sources and granting accessibility permissions. The final payload is staged through a sophisticated, multi-phase process designed to evade both human scrutiny and automated security tools. Once installed, Mirax maintains persistent communication with its command-and-control servers over multiple WebSocket channels - each tasked with a specific role, from remote access to proxy management and data exfiltration.

This convergence of remote control and proxy abuse marks a disturbing evolution. Traditionally, residential proxy botnets relied on hijacked IoT devices or cheap Android hardware. Mirax, however, embeds this capability in a full-featured banking trojan, expanding the operational arsenal of cybercriminals and increasing the monetization potential of every infection.

The New Normal for Mobile Threats?

The Mirax campaign’s success - powered by targeted Meta ads and robust technical design - signals a broader shift in the mobile threat landscape. Everyday smartphones are no longer just targets for credential theft; they’re unwitting accomplices in global cybercrime infrastructure. As the lines blur between personal device and criminal proxy, the need for vigilance - and smarter defenses - has never been greater.

WIKICROOK

• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• SOCKS5 Proxy: A SOCKS5 proxy routes your internet traffic through a remote server, hiding your IP address and enhancing online privacy and access flexibility.
• Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
• Dropper: A dropper is a type of malware that secretly installs additional malicious programs on an infected device, helping attackers bypass security measures.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.