Mirax Android RAT Steals Credentials, Enslaves Phones for Proxy Network

Executive Summary

A newly identified Android Remote Access Trojan (RAT) named Mirax is being distributed to create a dual-purpose mobile botnet. According to analysis of its advertised capabilities on underground forums, the malware's primary functions are to harvest banking credentials and financial data from victims and to silently enroll infected Android devices into a residential proxy network. This network is then sold to other cybercriminals to anonymize malicious traffic, making Mirax both a direct financial threat and an infrastructure-as-a-service enabler. The malware has been circulating since late 2025, with reported targeting in Europe.

Technical Analysis

Mirax is a feature-rich RAT distributed through typical Android infection vectors, likely including phishing links and malicious applications masquerading as legitimate software. Once installed, it requests extensive permissions to gain persistence and access to sensitive data. The malware's core malicious modules operate in two parallel streams. The first is dedicated to financial theft, using overlay attacks to capture login credentials from banking and financial applications. It can also log keystrokes and harvest cookies and autofill data from the device.

The second, more distinctive module establishes a SOCKS5 proxy on the infected device. This turns the phone into an anonymous exit node for internet traffic, effectively making it part of a residential proxy botnet. The proxy operates silently in the background, consuming device resources and data bandwidth. The botnet operator can then sell access to this pool of residential IP addresses, which are more trusted by security services than datacenter IPs, to other actors for activities like credential stuffing, ad fraud, or scraping. Technical specifics of the malware's command-and-control (C2) protocol and obfuscation methods were not detailed in the available source material.

Tactics, Techniques & Procedures

The threat actor employs several techniques to achieve their objectives. Initial access is likely achieved through Phishing for Private Ruse (T1598) or Drive-by Compromise (T1189), tricking users into installing a malicious APK. For execution and persistence, the malware abuses Android's accessibility services (Abuse Elevation Control Mechanism, T1548) to maintain a foothold and automate malicious actions. Its key data theft techniques include Input Capture: Keylogging (T1056.001) and Input Capture: GUI Input Capture (T1056.002) via overlay attacks. The most notable technique is the Proxy: Connection Proxy (T1090) capability, where the malware uses the infected device as an intermediary to relay command and control communications or customer traffic, providing anonymity to the botnet's users.

Threat Actor Context

The developer or distributor of Mirax is currently unidentified. The malware is being advertised and sold on underground cybercrime forums, indicating a Malware-as-a-Service (MaaS) or commercial RAT model. This business model suggests the primary actor is financially motivated, seeking to profit both from the direct sale of the malware and from the secondary revenue stream generated by the proxy network. The targeting appears broad, with the source noting particular activity in Europe, but the global nature of the Android ecosystem and underground markets means the threat is not regionally confined.

Mitigations & Recommendations

Organizations and individuals should adopt a defense-in-depth strategy for mobile security. Users should only install applications from the official Google Play Store, though caution is still required as malicious apps sometimes evade detection. They should scrutinize requested permissions, especially for accessibility services and overlay permissions, which are commonly abused by RATs. Disabling "Install unknown apps" (side-loading) for all but essential, trusted sources is critical.

Enterprises should enforce mobile device management (MDM) policies to monitor for unauthorized proxy configurations and suspicious network traffic originating from managed devices. Network monitoring for unexpected outbound SOCKS5 proxy traffic (typically on TCP port 1080 or other configured ports) can help identify infected devices on corporate networks. As no specific CVEs are associated with Mirax's initial infection vectors, patching is not a direct mitigation, but keeping the Android OS and all applications updated remains a fundamental best practice to close unrelated exploitation avenues.