Listen to this Post
Introduction
A new and highly adaptive Android banking trojan known as Mirax has been uncovered operating across Europe, signaling a dangerous evolution in mobile cyber threats. Security researchers have observed the malware combining remote access capabilities with residential proxy features, allowing attackers not only to steal sensitive financial data but also to reroute malicious traffic through infected devices. The campaign, which has already reached hundreds of thousands of potential victims, highlights how modern mobile malware is becoming more structured, stealthy, and commercially organized under controlled Malware-as-a-Service ecosystems.
Summary of the Original
Mirax is a newly identified Android banking trojan actively spreading across Europe, with a strong focus on Spanish-speaking users. Security researchers from Cleafy report that the malware has already been distributed to over 200,000 accounts through malicious advertisements on social media platforms. Unlike traditional widespread malware campaigns, Mirax operates under a restricted Malware-as-a-Service model, meaning only a limited number of affiliates can access and deploy it. This controlled structure improves operational security while increasing attack efficiency. Once installed, Mirax grants attackers full remote access to infected Android devices, enabling real-time control, command execution, and data interception. It deploys fake overlays on legitimate applications to steal sensitive information such as banking credentials. These overlays are dynamically retrieved from command-and-control servers, making detection more difficult. In addition, the malware includes surveillance features such as continuous keylogging and collection of lock screen patterns, PIN structures, and biometric usage indicators. Distribution heavily relies on social engineering tactics, where users are tricked into downloading fake streaming or IPTV applications promoted through social media ads. The infection chain involves multiple stages, including GitHub-hosted payloads, device checks to evade analysis, and encrypted execution processes. After installation, Mirax establishes WebSocket communication channels to maintain persistent remote control. A key feature of the malware is its ability to transform infected devices into residential proxy nodes, allowing attackers to route malicious traffic through legitimate IP addresses. This capability helps bypass geo-restrictions, evade fraud detection systems, and support broader cybercriminal operations such as account takeover campaigns. Researchers warn that although current activity is concentrated in Spain, the malware is likely to expand across other regions as its operators refine their methods.
What Undercode Say:
Mirax represents a clear shift in mobile malware architecture and operational strategy.
The move toward restricted Malware-as-a-Service indicates increased professionalism among cybercriminal groups.
Unlike mass-distributed malware, Mirax prioritizes controlled deployment to reduce exposure.
This suggests attackers are focusing on long-term infrastructure stability rather than short-term volume.
The integration of remote access tools turns infected devices into fully interactive attack platforms.
Attackers can observe, manipulate, and extract data in real time without user awareness.
The use of dynamic overlays is particularly dangerous because it bypasses static detection methods.
Each overlay being fetched from a C2 server allows attackers to rotate fraud interfaces instantly.
This makes traditional signature-based antivirus systems far less effective.
The inclusion of keylogging and biometric tracking shows a deeper focus on identity theft.
Attackers are not just stealing credentials but mapping user authentication behavior.
This could be used to bypass multi-factor authentication in future attacks.
The social engineering vector remains the weakest link in the entire attack chain.
Fake streaming apps remain highly effective because they exploit user demand for free content.
Hosting payloads on GitHub adds legitimacy and evasion potential.
Security teams may struggle to differentiate malicious repositories from legitimate ones.
The multi-stage infection chain increases resilience against partial detection.
Even if one stage is blocked, fallback mechanisms may continue execution.
WebSocket communication provides a persistent and low-latency control channel.
This allows attackers to maintain continuous surveillance over infected devices.
The proxy functionality significantly expands Mirax beyond banking fraud.
Infected devices become part of a distributed anonymization network.
This infrastructure can support fraud, scraping, and credential stuffing operations.
It also increases the difficulty of attribution for downstream attacks.
Residential IP abuse is particularly valuable for bypassing fraud detection systems.
This makes Mirax not just malware, but a cybercrime infrastructure tool.
The geographic focus on Spain suggests targeted testing before broader deployment.
Historical patterns indicate such malware often expands rapidly after initial validation.
If unchecked, Mirax could become a pan-European mobile threat.
Its modular structure suggests it may integrate additional payloads in future updates.
This evolution reflects a broader trend in mobile malware commoditization.
Fact Checker Results
✅ Cleafy has reported on Android malware campaigns with similar infrastructure patterns
❌ No public evidence confirms Mirax has already expanded beyond observed targeting regions
⚠️ Claims about future expansion remain predictive and not yet verified
Prediction
Mirax is likely to evolve into a wider Malware-as-a-Service ecosystem with expanded affiliate access.
Its residential proxy feature may become the primary monetization layer beyond banking theft.
Future variants could integrate automated account takeover tools and multi-platform targeting capabilities.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
