Mirax Android RAT Infects 220,000+ Devices via Meta Ads, Sold as Exclusive MaaS

Executive Summary

A new and sophisticated Android Remote Access Trojan (RAT) named Mirax is being actively distributed through malicious ads on Meta's popular platforms, including Facebook, Instagram, and Messenger. According to research from Outpost24's KrakenLabs, the campaign has already infected over 220,000 users, with a primary focus on Spanish-speaking countries. The malware provides attackers with full remote control over the victim's device. A key feature of Mirax is its ability to turn the infected Android phone into a residential SOCKS5 proxy, which is then used to route and anonymize other malicious activities. The operation is professionally run, with the threat actor, known as Mirax Bot, selling the malware as an exclusive Malware-as-a-Service (MaaS) on underground forums.

Threat Overview

The Mirax campaign demonstrates a multi-stage attack chain that leverages trusted platforms for initial distribution.

Attack Chain

1. Distribution: The primary infection vector is malicious advertisements on Meta's social media apps. These ads lead users to web pages hosting dropper applications. The campaign also uses GitHub to host malicious APK files.
2. Installation: The user is tricked into downloading and installing a dropper app. During installation, the app requests permission to install from "unknown sources," a critical step to bypass the Google Play Store's security.
3. Payload Deployment: Once the necessary permissions are granted, the dropper application executes a multi-stage process that downloads and installs the final Mirax RAT payload.
4. Execution: The Mirax RAT establishes a command-and-control (C2) connection and provides the attacker with full remote access to the device.

Malware Capabilities

• Remote Control: Full real-time access to the device, including files, contacts, and messages.
• Proxyfication: The malware's key function is to turn the device into a SOCKS5 proxy node. This allows the attacker to use the victim's IP address and internet connection to conduct other attacks, making them harder to trace.

Impact Assessment

The impact on the 220,000+ victims is severe. Their devices are fully compromised, leading to the theft of personal data, banking credentials, and private conversations. Furthermore, their devices are being used as part of a criminal infrastructure, which could potentially implicate the device owner in malicious activities conducted through the proxy.

The operation is notable for its business model. Mirax is not a widespread, low-quality malware; it's marketed as a private, high-end MaaS. Subscription prices start at $2,500 for three months, with a preference for Russian-speaking actors with established reputations. This indicates a sophisticated threat actor focused on providing a reliable, high-quality tool for other criminals, rather than just conducting the attacks themselves.

Detection and Response

• For Users: If you suspect your device is infected, look for unusual battery drain, high data usage, or apps that you don't remember installing. The best course of action is to perform a factory reset of the device after backing up important data (like photos). After resetting, change the passwords for all accounts that were used on the device.
• Check Permissions: Regularly review the permissions granted to your apps. Be especially wary of any app that has permission to "install unknown apps."

Mitigation

1. Avoid Sideloading Apps: The most effective mitigation is to only install applications from the official Google Play Store. Disable the "Install from unknown sources" permission on your Android device.
2. Scrutinize App Permissions: When installing any new app, even from the Play Store, carefully review the permissions it requests. A simple game does not need access to your contacts and messages.
3. Use a Mobile Security App: Reputable mobile antivirus solutions can detect and block known malware like Mirax.
4. Be Wary of Ads: Exercise caution when clicking on advertisements, especially those that promise free or premium versions of popular apps. If an ad directs you to a website to download an APK file, it is almost certainly malicious.