Listen to this Post
Introduction: A New Era of Mobile Malware Exploitation
Cybersecurity researchers have uncovered a rapidly spreading Android malware known as Mirax, a Remote Access Trojan that is redefining how attackers exploit mobile ecosystems. Unlike older threats that relied on simple phishing or malicious downloads, Mirax blends advanced evasion techniques, social engineering, and large-scale distribution through trusted platforms like Facebook and Instagram. With over 220,000 users already exposed, the campaign signals a dangerous evolution in mobile cybercrime, where stealth, scalability, and monetization converge.
the Original Findings: How Mirax Operates at Scale
Mirax is a newly identified Android Remote Access Trojan that doubles as banking malware, gaining rapid traction within underground cybercriminal communities. First promoted in late 2025 and closely monitored since early 2026, it has been primarily targeting Spanish-speaking users through carefully crafted campaigns. Unlike traditional malware-as-a-service models that are widely distributed, Mirax operates within a restricted affiliate network, making it more controlled and harder to detect.
The infection process begins with deceptive advertisements on Meta platforms such as Facebook and Instagram. These ads lure users into visiting phishing websites that promote fake services, including illegal sports streaming applications. These sites are specifically designed to target mobile users and encourage the sideloading of APK files, a common habit among users seeking unofficial apps.
Once the user downloads the malicious application, the infection unfolds in multiple stages. The initial dropper is hosted on GitHub Releases, frequently updated and repackaged to evade detection. Instead of creating new repositories, attackers reuse existing ones, making it more difficult for security systems to flag suspicious activity. After installation, the dropper extracts an encrypted payload hidden within the app using advanced obfuscation techniques.
The malware employs a two-stage infection chain. The first stage disguises the malicious code within the app structure, using encrypted .dex files stored in uncommon locations. Once executed, it decrypts the payload using RC4 encryption with a hardcoded key. The second stage involves another encrypted APK, which is decrypted using XOR and installed on the device. In some cases, this payload can also be downloaded remotely, adding flexibility to the attack.
Mirax uses advanced packing techniques such as Golden Encryption to avoid detection. This method is less documented but widely used in underground forums due to its effectiveness. After installation, the malware masquerades as a legitimate video or IPTV application and requests Accessibility permissions. Once granted, it gains extensive control over the device.
With these permissions, Mirax operates silently in the background. It displays fake error messages, uses overlays to trick users, and bypasses security protections. The malware provides full remote access capabilities, including screen monitoring, data theft, app manipulation, and spyware functions. It communicates with command-and-control servers via WebSockets, enabling real-time interaction between the attacker and the infected device.
One of its most alarming features is its ability to convert infected devices into SOCKS5 residential proxies. This allows attackers to route malicious traffic through legitimate user IP addresses, effectively masking their activities. This capability supports a wide range of cybercriminal operations, including fraud, distributed denial-of-service attacks, and lateral movement within networks.
The campaign has already reached over 200,000 users, highlighting a growing trend of exploiting trusted platforms for malware distribution. By combining social engineering with technical sophistication, Mirax demonstrates how attackers can scale operations while remaining stealthy. The shift toward a private malware-as-a-service model further reduces exposure and increases longevity, as access is limited to trusted affiliates.
What Undercode Say: The Strategic Shift Behind Mirax’s Design
Mirax is not just another Android Trojan; it represents a calculated evolution in cybercriminal strategy. The most striking element is its transition from open malware-as-a-service to a private, controlled distribution model. This change reflects a deeper understanding among attackers that visibility is the biggest threat to longevity. By limiting access, developers reduce leaks, avoid signature-based detection, and maintain operational secrecy for extended periods.
The use of Meta advertising platforms marks another critical shift. Instead of relying on dark web distribution or spam campaigns, attackers are embedding themselves within legitimate digital ecosystems. This approach exploits user trust in mainstream platforms, making the attack vector far more effective. It also demonstrates how content moderation systems can be bypassed through cleverly disguised advertisements.
Technically, Mirax showcases a layered defense strategy against analysis. The multi-stage infection chain, combined with encryption techniques like RC4 and XOR, creates multiple barriers for security researchers. The use of packers such as Golden Encryption further complicates reverse engineering, indicating that the developers are prioritizing resilience against forensic investigation.
The decision to host droppers on GitHub is particularly strategic. GitHub is widely trusted and rarely blocked, allowing malware to blend in with legitimate software distribution channels. Reusing existing repositories instead of creating new ones adds another layer of obfuscation, making detection systems less effective.
However, the most innovative aspect of Mirax is its integration of SOCKS5 proxy functionality. This transforms infected devices into valuable infrastructure assets rather than just targets for data theft. Residential proxies are highly sought after in cybercrime because they provide legitimate IP addresses, enabling attackers to bypass security filters and conduct operations that appear authentic. This dual-purpose design significantly increases the malware’s profitability.
From a broader perspective, Mirax highlights the convergence of cybercrime and business models. The private MaaS approach, combined with scalable distribution and monetization through proxies, mirrors legitimate SaaS strategies. This indicates that cybercriminals are becoming more organized, strategic, and business-oriented in their operations.
The reliance on Accessibility permissions also reveals a persistent weakness in mobile security. Users often grant these permissions without fully understanding the implications, effectively handing over control of their devices. This underscores the need for stronger user education and stricter platform-level controls.
Mirax also raises questions about the future of mobile threats. As attackers continue to refine their techniques, the line between malware and legitimate applications becomes increasingly blurred. The use of dynamic loading, encrypted payloads, and real-time communication suggests that future threats will be even more adaptive and harder to detect.
Ultimately, Mirax is not just a technical threat but a strategic one. It demonstrates how attackers are leveraging trust, scalability, and innovation to maximize impact while minimizing risk. This shift signals a new phase in mobile cybersecurity, where traditional defenses may no longer be sufficient.
Fact Checker Results
✅ Mirax uses multi-stage infection and encryption techniques, confirmed by threat intelligence analysis.
✅ The malware leverages Meta ads and GitHub distribution, aligning with documented campaign behavior.
❌ The exact number of infected users may vary, as large-scale estimates often fluctuate during ongoing investigations.
Prediction
📊 The rise of private malware-as-a-service models will increase stealth and reduce early detection rates.
📊 Mobile devices will increasingly be used as proxy infrastructure rather than just data targets.
📊 Platforms like social media and code repositories will face growing pressure to strengthen security controls against abuse.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
