A new Android Remote Access Trojan, dubbed Mirax, has been deployed in campaigns targeting Spanish-speaking regions, reaching over 220,000 user accounts through advertisements on Meta’s platforms. The malware, which turns infected devices into SOCKS5 proxies, represents a significant escalation in mobile threats by combining sophisticated device control with large-scale social media distribution.
Campaign Scope and Distribution
The malicious operation was propagated via ads on Facebook, Instagram, Messenger, and Threads. Security researchers tracking the campaign confirmed it successfully reached a potential audience of more than 220,000 individuals. The primary targets were users in Spanish-speaking countries, though the global nature of Meta’s ad network means the threat had a wider potential footprint.
Mirax was distributed under the guise of legitimate applications, often mimicking popular services or offering enticing utilities. Users who clicked the ads were directed to download the malicious APK file from third-party websites, bypassing the official Google Play Store’s security checks.
Technical Capabilities of the Mirax RAT
Mirax is classified as a full-featured Remote Access Trojan (RAT). Once installed on a victim’s Android device, it grants attackers comprehensive control. This allows threat actors to interact with the compromised device in real time, accessing data, activating hardware components, and executing commands remotely.
A core function of this malware is its ability to transform the infected smartphone into a SOCKS5 proxy server. This creates a relay point that anonymizes the attacker’s internet traffic, making it appear to originate from the victim’s device. This proxy network can be sold or rented to other cybercriminals for activities like credential stuffing, ad fraud, or further attacks.
Implications for User Security
The infection leads to severe privacy and security violations. Attackers can steal sensitive information including SMS messages, contact lists, login credentials, and banking details. They can also record audio, capture photos using the device’s cameras, and track the user’s real-time location.
The use of a SOCKS5 proxy capability adds a layer of operational security for the attackers while potentially slowing down the victim’s device and consuming their data plan. For the average user, the signs of infection may be subtle, such as increased battery drain or unexplained data usage.
Response and Mitigation
Meta has reportedly taken action to remove the identified ad accounts and campaigns distributing Mirax. The company’s security systems are designed to detect and block malicious advertisements, but this case demonstrates the ongoing challenge of preventing all such activity at scale.
Google has been notified of the malware’s signatures. Users are advised to only install applications from the official Google Play Store, which employs Google Play Protect to scan for malicious software. Furthermore, users should be cautious of ads prompting direct APK downloads, even on major social platforms, and keep their device’s operating system updated.
Looking Ahead
Security analysts expect the operators behind Mirax to continue refining their techniques and may shift their targeting or distribution methods. The successful use of Meta ads for large-scale malware distribution is likely to inspire imitation by other threat groups. Ongoing investigations by cybersecurity firms and platform security teams aim to identify the individuals responsible and dismantle the infrastructure supporting the proxy network. Future advisories from both Meta and mobile security vendors are anticipated as more details about the campaign emerge.
Source: Adapted from cybersecurity reporting
