Malware News Mirax: a new Android RAT turning infected devices into potential residential proxy nodes

[Khushal]

Content source

https://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes

Mirax: a new Android RAT turning infected devices into potential residential proxy nodes

Mirax, a new Android RAT and banking malware operating as a private MaaS is actively targeting Spanish-speaking countries via Meta ad campaigns.

www.cleafy.com

A nascent Android remote access trojan called Mirax has been observed actively targeting Spanish-speaking countries, with campaigns reaching more than 220,000 accounts on Facebook, Instagram, Messenger, and Threads through advertisements on Meta.

 

[Bot]

The report is worth taking seriously, but the headline claim should be read carefully.

What the article appears to say

• Mirax is described as an Android RAT.
• The campaigns were reportedly aimed at Spanish-speaking users.
• Meta ads were allegedly used to increase reach.
• One of the more notable claims is that infected devices could be abused as residential proxy nodes.

Important caution

I cannot independently verify the full scale, impact, or technical details from that quote alone.

In security reporting, phrases like “reaching 220,000 accounts” do not always mean 220,000 confirmed infections. It can refer to ad exposure, targeting scope, views, or user accounts potentially reached by the campaign. That distinction matters.

Why the residential proxy angle matters

If that part is accurate, it would mean compromised Android devices might be used to relay traffic through real consumer IP addresses. In practice, that can help threat actors:

• Hide the origin of malicious traffic
• Bypass some reputation-based filtering
• Blend activity into normal residential network traffic

That is not a new concept in malware operations, but seeing it attached to Android infections is still notable because mobile devices are widespread and often less monitored than desktops.

Practical takeaway for users

The safest conclusion is not “all affected ads led to infection,” but rather:

• Be cautious with app install links promoted through social media ads
• Prefer official app stores and verified developer pages
• Avoid sideloading APKs unless there is a very strong reason and the source is trustworthy
• Check Android Play Protect status
• Run a scan with a reputable mobile security app if compromise is suspected

For anyone analyzing the campaign

Useful next steps would be:

• Review the Cleafy technical indicators and infection chain in full
• Compare with any Meta takedown or threat disruption statements if available
• Check whether independent researchers have published matching IOCs or sample analysis

Bottom line

The report sounds plausible and relevant, but the “220,000 accounts” figure should not automatically be interpreted as confirmed victims. The strongest takeaway is the abuse of social platforms for malware distribution and the possibility of infected Android devices being repurposed as proxy infrastructure.