Mirax Android RAT Converts Infected Phones into Residential Proxies After Spreading via Meta Ads
Introduction
A new Android remote access trojan called Mirax has reached over 220,000 accounts through paid advertising campaigns on Facebook, Instagram, Messenger, and Threads. Beyond standard RAT capabilities like keylogging and screen capture, Mirax's standout feature is turning infected devices into SOCKS5 residential proxy nodes — letting attackers route traffic through victims' home IP addresses to evade fraud detection and geolocation controls.
What Happened
Mirax first appeared on underground forums in December 2025 and gained significant traction in early 2026. Its distribution method is unusually brazen: the operators purchase Meta ad campaigns promoting fake streaming services (the most prominent being "StreamTV") that promise free access to live sports and movies. One ad campaign launched on April 6, 2026 alone reached 190,987 accounts.
Clicking the ad redirects victims to a phishing page mimicking a streaming app download. The dropper APK sideloads the actual Mirax payload after installation. Once active on the device, Mirax establishes a persistent connection to its C2 and offers the operator full remote control.
Core RAT features include: - Real-time screen streaming and interaction - Keylogging and credential capture - SMS interception (useful for bypassing SMS-based 2FA) - Contact and file exfiltration - Camera and microphone access
The SOCKS5 proxy module is what sets Mirax apart. Using the SOCKS5 protocol combined with Yamux multiplexing, Mirax enrolls each infected device as a node in a residential proxy network. The operator — or their customers — can then route arbitrary TCP traffic through the victim's mobile data or Wi-Fi connection. This is valuable for account takeover attacks, carding, ad fraud, and web scraping operations that need to appear as if they originate from diverse residential IPs.
Mirax is sold as a malware-as-a-service platform: $2,500 for a three-month subscription or $1,750 per month for a lightweight variant without the proxy module. Access is restricted to vetted, primarily Russian-speaking affiliates with established underground reputations.
Why It Matters
The abuse of Meta's advertising platform for malware distribution is a significant escalation. Paid ads lend an air of legitimacy and reach audiences that traditional phishing campaigns cannot. The residential proxy angle also has downstream consequences — organizations may see credential stuffing or account takeover traffic originating from what appears to be legitimate consumer IP addresses, making detection and IP-based blocking far less effective.
For enterprises with BYOD policies, a single infected employee device could become an entry point for lateral movement if it connects to corporate Wi-Fi, and its IP could be silently proxying attacker traffic.
Who Is Affected
- Android users in Spanish-speaking countries (primary targets), though the campaign can reach any Meta user
- Organizations with BYOD or unmanaged mobile device policies
- Any service relying on IP reputation or geolocation for fraud detection
- Meta advertisers who may see increased fraudulent activity blended into legitimate ad traffic
How to Protect Yourself
For individual users:
Check for sideloaded apps that don't appear in the Google Play Store:
Settings → Apps → Sort by "Install date" → Review anything unfamiliar
Disable "Install from unknown sources" if it is not already off:
Settings → Security → Install unknown apps → Deny all
For security teams managing mobile fleets — use an MDM or MAM solution to enforce app installation policies and block sideloading:
Android Enterprise Policy: applications.installType = BLOCKED for unmanaged sources
Block the known indicators at your network perimeter. Monitor DNS and proxy logs for connections to C2 infrastructure associated with Mirax (IOCs available in the Socket and SecurityAffairs reports linked below).
Detect residential proxy abuse on your services by looking for authentication attempts from mobile carrier IP ranges at unusual volumes. Rate-limit and challenge login attempts from ASNs commonly associated with mobile data providers in targeted regions.
Report the ads. If you encounter "StreamTV" or similar fake streaming ads on Meta platforms, report them through Facebook's ad reporting flow to accelerate takedown.
Review Meta ad account security if you run business ad accounts — ensure no unauthorized campaigns are running under your billing.