Watch the Android RAT that rents your phone as proxy for large-scale fraud

In recent weeks an Android malicious actor has emerged that brings together classic remote access Trojan (RAT) capabilities with a disturbing turn: in addition to taking control of the phone, it turns the infected device into an exit point for the traffic of the attackers. The name in the technical reports is Mirax, and its activity has been detected especially in campaigns aimed at Spanish-speaking countries, where the announcements on Meta platforms have reached hundreds of thousands of accounts.

Mirax not only spy: it also rents the device connection to the attackers. Operators can interact with the mobile in real time - read messages, activate the camera or microphone, capture pulses and steal credentials through HTML superpositions - and, at the same time, direct malicious traffic through a SOCKS5 proxy mounted on the compromised machine. This dual use turns each smartphone into a piece of infrastructure: it serves both for bank account fraud and for concealing criminal operations by taking advantage of the user's legitimate IP address.

The available information suggests that Mirax is marketed with a MaaS model (malware-as-a-service). Researchers who have followed the project track indicate that there is a management panel and an ecosystem of affiliates, and that the product appears in clandestine forums under conditions of restricted access. This approach - carefully controlling who can use malware - fits with the intention of limiting visibility and preserving the "quality" of campaigns.

The most repeated input vector in the detected cases has been paid advertising. The attackers create attractive ads that promise free streaming services and redirect to pages designed for the user to download an installer (a "dropper") in APK format. It is striking that some of these installers are housed in public repositories such as GitHub, which helps make the URL look legitimate and make it difficult to detect automatically. Once downloaded, the installer urges the user to allow facilities from unknown sources and to activate accessibility permits, which are then used to maintain control and place overlapping screens that hide malicious actions.

The design of the infection process is deliberately complex. Technical analyses describe a multi-stage flow designed to skip automatic analysis tools and sandboxes: the dropper decompresses payloads, runs checks to confirm that the file has been opened from a real mobile device and extracts the final executable acting as RAT and as proxy. In addition, the malware maintains multiple two-way channels with its control server, using WebSocket in different ports to separate tasks - remote commands, data exfiltration and the establishment of the SOCKS service - allowing for modular and resilient management of the operation.

A less well-known but particularly dangerous paragraph is the inclusion of support for multiplexing (e.g. Yamux) next to the SOCKS5 protocol. This allows attackers to open multiple simultaneous connections through the same victim device without raising suspicion in simple traffic patterns. The practical consequence is that a single phone can serve several illegitimate operations at the same time: from making access to accounts with a "residential" IP to masking large-scale fraud campaigns.

Distribution methods and technical functionalities place Mirax in a confluence between traditional banking malware and the abuse of residential output networks, a trend that concerns because it multiplies the economic value of each compromised device. In addition, the limited distribution of service - according to reports, prioritizing actors with curriculum in Russian-speaking communities - underlines a strategy of control and professionalization that makes intervention and attribution difficult.

In parallel, the mobile malware scene shows other similar developments: groups selling multiuser panels, RATs that are presented as legitimate utilities and campaigns localized by language and theme. A recent example documented by intelligence firms includes a RAT distributed with lures related to government services, which demonstrates the use of these tools for both economic crime and targeted surveillance.

What can users and platforms do? For people, the most important rule remains prudence: not installing applications outside of official stores, distrusting ads that promise free payment content and carefully reviewing the permits granted, especially those for accessibility. For companies and online service providers, the detection of residential IP use patterns and the correlation of unusual behaviors should be strengthened, as well as the identification of malicious ads in advertising ecosystems. The platforms that host advertising also have responsibility: improving the verification processes of advertisers and monitoring end-destinations of clicks can reduce the effectiveness of this type of fraud.

If you are looking for further technical findings and notices published by the teams that have analysed these campaigns, you should consult the response and analysis work of the manufacturers themselves and of specialized groups. Reference sources include the pages of companies investigating fraud and online threats such as Cleafy ( cleafy.com), reports and blogs of security firms like Outpos24 KrakenLabs ( outpost24.com) and organizations that publish intelligence about emerging threats, for example Breakglass Intelligence ( breakglassontel.com). To understand platform-level security recommendations, Google's documentation about Google Play Protect and risks on Android is a useful resource ( support.google.com), and Meta's advertising policies provide context on how advertisements should be managed ( facebook.com / policies / ads).

In the end, Mirax is a reminder that mobile threats are no longer limited to stealing credentials or intercepting messages: attackers are converting personal devices into reusable infrastructure for broader criminal operations. The combination of social engineering through targeted advertising, hosting in public services to camouflage URLs and technical development that prioritizes evasion and persistence requires a coordinated response between users, platforms and security specialists.

The good news is that basic defences remain highly effective: avoiding facilities of unverified origin, limiting accessibility permits, keeping the system up to date and using recognized mobile security solutions significantly reduce the risk of becoming part of a proxy button or a fraud network. The bad news is that, as long as these practices are not universal, projects like Mirax will continue to find victims and clients for their "service."