A newly identified Android Remote Access Trojan (RAT), dubbed Mirax, is actively compromising devices, primarily in Spanish-speaking regions. The malware’s distribution campaign has achieved significant reach, impacting over 220,000 user accounts across Meta’s advertising platforms, including Facebook, Instagram, Messenger, and Threads.
Security researchers analyzing the threat have identified its core functionality. Mirax is equipped with sophisticated remote access capabilities that grant attackers comprehensive, real-time control over infected Android smartphones and tablets.
Technical Capabilities and Infrastructure
Beyond standard surveillance and data theft, Mirax incorporates a specific feature that transforms compromised devices into SOCKS5 proxy servers. This allows the malware operators to route their own internet traffic through the victim’s device, effectively masking the origin of their activities.
This proxy functionality can be used for a range of malicious purposes. It enables threat actors to anonymize further attacks, bypass geographic content restrictions, or conduct fraudulent advertising clicks and account creation schemes. The use of legitimate user devices as proxies makes malicious traffic exceedingly difficult for security systems to distinguish from normal activity.
The infection vector for this widespread campaign has been malicious advertisements served through Meta’s ad network. Users clicking on these ads are redirected to sites that host the malware, often disguised as legitimate applications or services.
Implications for Users and Platforms
The scale of this campaign, affecting a quarter-million accounts, highlights the evolving tactics of cybercriminal groups. It demonstrates a shift towards leveraging large, legitimate advertising ecosystems to achieve mass distribution of mobile malware.
For individual users, a device infected with Mirax represents a severe privacy and security breach. Attackers can access personal messages, photos, location data, and banking credentials. The device’s resources are also co-opted into a botnet, potentially slowing performance and incurring data charges for the owner.
The incident places renewed scrutiny on the advertisement vetting processes of major social media platforms. While digital ad networks are a powerful tool for businesses, they present an attractive attack surface for threat actors seeking a large, targeted audience.
Security experts note that the focus on Spanish-speaking audiences may indicate a testing phase or a specific targeting strategy by the malware’s operators. Such geographical focus is common in early-stage campaigns before a broader, global rollout.
Mitigation and Protective Measures
Users are advised to exercise extreme caution when interacting with online advertisements, even on trusted platforms. Downloading applications should only be done from official app stores like Google Play, though vigilance is required there as well.
Keeping device operating systems and all applications updated is a critical defense, as updates often patch security vulnerabilities that malware exploits. Installing a reputable mobile security solution can provide an additional layer of detection.
Organizations managing corporate devices should enforce strict mobile device management (MDM) policies. These policies can restrict the installation of apps from unknown sources and monitor for anomalous network traffic indicative of proxy behavior.
Meta has likely taken steps to remove the malicious advertisements and associated accounts following its discovery. Platform users who suspect they clicked on a suspicious ad should run a security scan on their device and monitor for unusual activity.
Looking forward, security analysts anticipate that the operators behind Mirax will continue to refine their techniques. The campaign’s success may inspire imitation, leading to a surge in similar ad-based distribution methods for other mobile malware families. The cybersecurity community expects ongoing analysis of Mirax’s command-and-control infrastructure, which may lead to takedown efforts by international law enforcement and technology firms in the coming months.
