# Mirax Android RAT Exploits Meta Advertising to Reach 220,000+ Users, Converting Devices into Proxy Infrastructure


## The Threat


Security researchers have identified a new and actively distributed Android remote access trojan (RAT) called Mirax that is being weaponized at scale against Spanish-speaking regions. The malware has already reached over 220,000 potential victims through advertisements placed on Meta platforms, including Facebook, Instagram, Messenger, and Threads. Mirax represents a concerning evolution in mobile malware campaigns, combining sophisticated RAT capabilities with proxy functionality to create a distributed botnet of compromised Android devices.


Unlike traditional mobile malware that primarily steals data or deploys ransomware, Mirax is designed to convert infected devices into SOCKS5 proxies—allowing threat actors to route traffic through thousands of compromised phones. This capability transforms victim devices into valuable infrastructure for criminal operations, including fraud, credential theft, and lateral movement into corporate networks.


## Campaign Distribution and Targeting


### How Mirax Spreads


The distribution method employed by Mirax's operators is notably sophisticated. Rather than relying on traditional malicious app store submissions or phishing links, the threat actors are purchasing legitimate advertising space on Meta's platforms. This approach provides several tactical advantages:


  • Legitimacy: Ads on Meta platforms appear trusted and official, increasing click-through rates
  • Scale: Meta's advertising network reaches hundreds of millions of users globally
  • Targeting Precision: The attackers can geographically target Spanish-speaking regions with minimal waste
  • Obfuscation: Legitimate advertising infrastructure obscures the malware distribution chain

    • The campaign has achieved significant reach, with confirmed numbers exceeding 220,000 account engagements across Meta's ecosystem. However, the actual infection rate—the percentage of users who installed the malware—may be considerably lower, as not all ad clicks result in successful payload delivery.


    ### Geographic and Linguistic Focus


    Mirax primarily targets Spanish-speaking populations, with the heaviest concentration of campaigns directed toward:


  • Latin American countries
  • Spain and Portugal
  • Spanish-speaking communities in North America

    • This geographic focus suggests threat actors have optimized their social engineering and malware for Spanish-language environments, potentially using culturally relevant lures or messaging to increase infection success rates.


    ## Technical Analysis


    ### Mirax Capabilities


    The malware demonstrates a comprehensive feature set typical of modern Android RATs:


    | Capability | Purpose |

    |-----------|---------|

    | Remote Code Execution | Execute arbitrary commands on the device |

    | Screen Recording | Capture user activities and sensitive information |

    | SOCKS5 Proxy | Route network traffic through compromised device |

    | SMS Interception | Intercept and manipulate text messages |

    | Contact and Media Access | Extract phone contacts, photos, and documents |

    | Device Control | Control device functions remotely |

    | Persistence Mechanisms | Maintain presence across reboots and updates |


    ### The SOCKS5 Proxy Component


    The SOCKS5 proxy functionality is particularly notable, as it transforms each infected device into a valuable asset within a broader criminal infrastructure. SOCKS5 proxies allow threat actors to:


  • Mask their origin: Route malicious traffic through residential IP addresses belonging to compromised phones
  • Bypass geographic restrictions: Access region-locked services using the victim's location
  • Evade detection: Residential proxies are far less likely to be blocked by security systems than datacenter proxies
  • Conduct fraud: Use legitimate-appearing device connections for account takeovers, fake purchases, and credential attacks

    • This proxy capability suggests Mirax is being monetized not just for direct theft but also as a service—criminal operators may rent access to the proxy network to other bad actors.


    ## Implications for Users and Organizations


    ### Individual Users


    Android users in targeted regions face several risks from Mirax infection:


  • Identity Theft: Access to contacts, messages, and personal information
  • Financial Fraud: Compromised banking apps and payment systems
  • Credential Harvesting: Attackers can intercept logins and sensitive communications
  • Privacy Violations: Continuous surveillance through screen recording and media access
  • Battery and Data Drain: Proxy traffic consumes device resources, increasing battery usage and data consumption

    • ### Organizations


    For businesses operating in or serving Spanish-speaking markets, Mirax poses indirect but serious threats:


  • Employee Device Compromise: Staff members opening ads on work phones could introduce malware into corporate networks
  • Proxy-Based Attacks: Compromised employee devices become entry points for lateral movement and business email compromise
  • Credential Theft: Loss of employee credentials that access corporate systems
  • Regulatory Exposure: Customer data breaches stemming from compromised devices create liability

    • ## Detection and Mitigation


    ### Technical Indicators


    Security teams should monitor for:


  • Unusual network traffic, particularly proxy connections (SOCKS5 typically uses port 1080)
  • Excessive data consumption from unknown applications
  • Unexplained background processes or services
  • Unusual CPU usage or device slowdown
  • Apps requesting excessive permissions (SMS, contacts, media, network)

    • ### User-Level Protections


    Android users should implement these defenses:


  • Enable Google Play Protect: Provides automated scanning of installed apps
  • Keep Android Updated: Apply security patches promptly; many exploit chains rely on unpatched vulnerabilities
  • Review App Permissions: Disable access to SMS, contacts, and media for apps that don't need them
  • Avoid Suspicious Links: Exercise caution with ads and links from unfamiliar sources, even on legitimate platforms
  • Use Mobile Security Software: Deploy reputable mobile antivirus or security software from established vendors
  • Disable Unknown Sources: Prevent installation of apps outside the Google Play Store

    • ### Organizational Response


    Companies should:


  • Educate Employees: Train staff on the risks of clicking ads on social media, particularly regarding mobile devices
  • Implement Mobile Device Management (MDM): Deploy MDM solutions to monitor and control employee devices
  • Monitor for Indicators: Use security tools to detect suspicious network patterns or unauthorized connections
  • Audit Permissions: Regularly review installed applications and their requested permissions
  • Network Segmentation: Isolate employee devices from critical systems using zero-trust network architectures

    • ## Recommendations


    ### For Individual Users


    1. Verify Before Installing: Visit the official app store listing before downloading any application, even if directed through an ad

    2. Use Secure Browsers: Enable enhanced security features in mobile browsers

    3. Monitor Device Health: Regularly check Settings > Apps to review installed applications and their permissions

    4. Report Malicious Ads: Use Meta's reporting tools to flag suspicious advertisements


    ### For Security Teams


    1. Threat Intel Integration: Subscribe to feeds covering Android malware to track Mirax variants

    2. Endpoint Detection: Deploy mobile threat detection solutions to identify command-and-control communications

    3. Network Analysis: Monitor outbound proxy connections from employee devices

    4. Incident Response: Develop procedures for isolating and remediating compromised Android devices


    ### For Platform Operators


    Meta and other advertising platforms should enhance their ad vetting processes to prevent distribution of malware payloads, though the challenge remains significant given the sophisticated nature of these campaigns.


    ## Conclusion


    Mirax represents a maturing Android threat landscape where malware distribution occurs at scale through mainstream advertising networks. By combining sophisticated RAT capabilities with SOCKS5 proxy functionality, the attackers create infrastructure that benefits both direct data theft and broader criminal operations. Organizations and users in Spanish-speaking regions should prioritize Android security hardening, and defenders globally should monitor for similar campaigns that may target other geographic or linguistic populations.