Close Menu
Cybercrime and Ransomware

New Mirax Android RAT Transforms Infected Phones Into Proxy Nodes

Staff WriterBy No Comments4 Mins Read4 Views

Fast Facts

  1. Mirax is a sophisticated Android malware discovered in late 2025 that steals banking credentials and transforms infected devices into residential proxy nodes, enabling malicious traffic routing through legitimate IPs.
  2. It operates as a Malware-as-a-Service (MaaS), with limited access to trusted affiliates, primarily Russian-speaking, allowing discreet, long-term infections.
  3. Deployment involves social media ads directing users to phishing sites, with the malware installed via stealthy dropper files from GitHub, disguising itself as a media app and requesting Accessibility Services.
  4. Its proxy capability, utilizing residential IPs, enables evasion of fraud detection, geolocation bypass, and large-scale cyberattacks, making it a significant threat to mobile security and financial systems.

The Issue

Since late 2025, a new Android malware named Mirax has quietly circulated on underground forums, posing a serious threat to users across Europe and beyond. Unlike typical banking trojans, Mirax has a dual purpose: it steals banking credentials and transforms infected devices into residential proxy nodes. This allows attackers to route malicious traffic through victims’ IP addresses, making it harder for security measures to detect their activities. Researchers from Cleafy began tracking Mirax in March 2026 after noticing campaigns targeting Spanish-speaking users. The malware first appeared in underground forums in December 2025, quickly spreading to over 200,000 accounts through paid ads on Facebook and Instagram. Attackers lure victims via social media ads that lead to fake streaming sites; once installed, Mirax runs silently in the background, disguising itself and requesting accessibility permissions, which it uses to activate its proxy features. This sophisticated setup enables cybercriminals to conduct fraud, evade detection, and carry out various attacks while appearing as normal home users. The reporting by Cleafy highlights the evolving sophistication of mobile malware and underscores the importance of cautious app installation and permission management to protect personal data and financial security.

Risk Summary

The issue ‘New Mirax Android RAT Turns Infected Phones Into Residential Proxy Nodes’ can severely impact your business by causing widespread security breaches. Once infected, phones become covert proxies, allowing cybercriminals to hijack your network traffic undetected. This not only risks data theft and intellectual property loss but also leads to disrupted operations and damaged reputation. Moreover, such malware can enable targeted attacks, phishing schemes, or distribution of further malware. Consequently, without adequate safeguards, your business could face costly downtime, legal liabilities, and loss of customer trust—making it crucial to recognize and mitigate this evolving threat promptly.

Possible Actions

Timely remediation is critical when addressing threats like the “New Mirax Android RAT,” which can transform infected phones into residential proxy nodes. Rapid action minimizes widespread damage, prevents unauthorized data access, and restores trust in device security.

Containment Measures

  • Immediately disconnect affected devices from networks to prevent further malicious activity.
  • Disable or quarantine suspected applications or processes linked to the RAT.

Detection & Analysis

  • Conduct thorough malware scans using updated tools to identify infections.
  • Analyze network traffic logs for unusual proxy activity or data exfiltration signs.

Remediation Actions

  • Remove or uninstall malicious applications from infected Android devices.
  • Reset devices to factory settings if malware persists.
  • Update the operating system and all apps to the latest security patches.

Preventive Strategies

  • Enforce strict application permissions and install apps only from trusted sources.
  • Implement mobile device management (MDM) solutions for centralized control.
  • Educate users on recognizing phishing attempts and suspicious activity.

Follow-up & Monitoring

  • Continuously monitor network traffic for anomalies indicative of proxy usage.
  • Conduct regular security assessments to identify any residual threats or vulnerabilities.

Stay Ahead in Cybersecurity

Stay informed on the latest Threat Intelligence and Cyberattacks.

Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.