MIRAX is an Android banking trojan that combines remote access features with residential proxy capabilities, turning infected devices into proxy nodes to broaden its impact. According to an advisory published by Cleafy, the malware has been observed targeting Spanish-speaking users, with campaigns reaching more than 200,000 accounts through advertisements on social media platforms.
Cleafy said Mirax represents a shift in Android malware, operating under a restricted MaaS model that limits access to a small group of affiliates to maintain operational security and improve campaign effectiveness. The malware enables attackers to fully control infected devices in real time, executing commands, monitoring activity and deploying fake overlays on legitimate apps to steal data, with overlays fetched dynamically from C2 servers.
It also includes surveillance features such as continuous keylogging and collection of lock screen details like PIN structure and biometric usage. One defining feature is the ability to route traffic through infected devices as residential proxy nodes, potentially aiding account takeovers and anonymised network attacks.