Mirax Android RAT infects 220,000 devices

1/ Security firm researchers disclosed Thursday that the Mirax Android remote access trojan (RAT) has infected over 220,000 devices worldwide, turning them into SOCKS5 proxies for cybercriminals. The campaign ran via malicious Meta Ads from 2025 through 2026, targeting Android users across multiple countries. 2/ Mirax operates as a sophisticated RAT, granting attackers full remote control over infected Android phones. Once installed, it routes internet traffic through the devices, creating a vast proxy network that hides malicious operators' identities and boosts abuse like spam or DDoS attacks. Researchers at iseclab tracked the operation's scale. 3/ The infection vector: fake Meta Ads promoting "free" apps or tools, leading users to phishing sites that sideload the Mirax APK. No Play Store involvement—purely off-platform delivery. Ads hit global audiences, with infections peaking in recent months across Europe, Asia, and the Americas. 4/ Key stat: 220,000+ compromised devices now form a SOCKS5 botnet, amplifying cybercriminals' reach. Each phone acts as an anonymized exit node, evading IP blocks and enabling scalable attacks. Iseclab said this network has been active for months, powering fraud and evasion. 5/ Timeline: Campaign started early 2025, with Meta Ads placements documented through mid-2026. Researchers reverse-engineered samples, linking them to consistent C2 servers. No single country dominates victims—it's a global dragnet on Android users clicking ads. 6/ Technical breakdown: Mirax evades detection with obfuscated code, dynamic payloads, and proxy chaining. It requests accessibility permissions post-install, then phones home to attacker-controlled panels. SOCKS5 setup lets operators tunnel traffic anonymously. Full IOCs shared by iseclab. 7/ Meta's role: Ads bypassed platform moderation, using cloaking to show benign content to reviewers. Researchers urged Meta to scan ad-linked domains; no public response from the company as of May 21, 2026. Similar tactics hit Google Ads in past campaigns. 8/ Victim impact: Infected devices face battery drain, data theft risks, and forced proxying—which could expose users to legal scrutiny if abused. No ransom noted; pure infrastructure play for attackers. Android's market share makes it prime target. 9/ Mitigation steps from researchers: Scan with updated antivirus (e.g., Malwarebytes, Avast); revoke accessibility perms for unknowns; avoid sideloading from ads. Google Play Protect blocks some, but not all vectors. Check proxy usage via apps like Wireshark on rooted devices. 10/ Broader context: Mobile RATs like Mirax echo Anatsa or Hook, but proxy focus is novel for scale. Kaspersky's 2025 report noted rising Android threats; this fits the trend. Attackers likely monetize via proxy rentals on dark web markets. 11/ What's next: Iseclab promised full report with C2 takedown IOCs soon. Android users: Update OS, enable Play Protect, report suspicious ads to Meta. Track via threat intel feeds like VirusTotal for Mirax hashes. Stay vigilant—proxy botnets evolve fast.