[{"data":1,"prerenderedAt":136},["ShallowReactive",2],{"article-slug-mirax-android-rat-spreads-via-meta-ads-as-malware-as-a-service":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":37,"sources":38,"events":49,"mitre_techniques":56,"mitre_mitigations":73,"d3fend_countermeasures":88,"iocs":101,"cyber_observables":102,"tags":118,"extract_datetime":124,"article_type":125,"impact_scope":126,"pub_date":134,"reading_time_minutes":135,"createdAt":124,"updatedAt":124},"420486e2-b7e3-4ab5-93d2-9cbeca600016","mirax-android-rat-spreads-via-meta-ads-as-malware-as-a-service","Mirax Android RAT Infects 220,000+ Devices via Meta Ads, Sold as Exclusive MaaS","New 'Mirax' Android RAT Spreads via Facebook and Instagram Ads, Offered as Malware-as-a-Service","A new Android Remote Access Trojan (RAT) named Mirax is being distributed through malicious advertisements on Meta's platforms, including Facebook and Instagram, primarily targeting Spanish-speaking users. Researchers at Outpost24 report that the malware has infected over 220,000 devices. Mirax gives attackers full remote control and turns the infected device into a SOCKS5 proxy to anonymize other malicious traffic. The malware is being sold as a private, high-end Malware-as-a-Service (MaaS) on underground forums, with subscriptions starting at $2,500.","## Executive Summary\nA new and sophisticated Android Remote Access Trojan (RAT) named **Mirax** is being actively distributed through malicious ads on **[Meta](https://about.facebook.com/)**'s popular platforms, including Facebook, Instagram, and Messenger. According to research from Outpost24's KrakenLabs, the campaign has already infected over 220,000 users, with a primary focus on Spanish-speaking countries. The malware provides attackers with full remote control over the victim's device. A key feature of Mirax is its ability to turn the infected Android phone into a residential SOCKS5 proxy, which is then used to route and anonymize other malicious activities. The operation is professionally run, with the threat actor, known as **Mirax Bot**, selling the malware as an exclusive Malware-as-a-Service (MaaS) on underground forums.\n\n---\n\n## Threat Overview\nThe Mirax campaign demonstrates a multi-stage attack chain that leverages trusted platforms for initial distribution.\n\n### Attack Chain\n1.  **Distribution:** The primary infection vector is malicious advertisements on Meta's social media apps. These ads lead users to web pages hosting dropper applications. The campaign also uses **[GitHub](https://github.com/)** to host malicious APK files.\n2.  **Installation:** The user is tricked into downloading and installing a dropper app. During installation, the app requests permission to install from \"unknown sources,\" a critical step to bypass the Google Play Store's security.\n3.  **Payload Deployment:** Once the necessary permissions are granted, the dropper application executes a multi-stage process that downloads and installs the final Mirax RAT payload.\n4.  **Execution:** The Mirax RAT establishes a command-and-control (C2) connection and provides the attacker with full remote access to the device.\n\n### Malware Capabilities\n- **Remote Control:** Full real-time access to the device, including files, contacts, and messages.\n- **Proxyfication:** The malware's key function is to turn the device into a SOCKS5 proxy node. This allows the attacker to use the victim's IP address and internet connection to conduct other attacks, making them harder to trace.\n\n## Impact Assessment\nThe impact on the 220,000+ victims is severe. Their devices are fully compromised, leading to the theft of personal data, banking credentials, and private conversations. Furthermore, their devices are being used as part of a criminal infrastructure, which could potentially implicate the device owner in malicious activities conducted through the proxy.\n\nThe operation is notable for its business model. Mirax is not a widespread, low-quality malware; it's marketed as a private, high-end MaaS. Subscription prices start at $2,500 for three months, with a preference for Russian-speaking actors with established reputations. This indicates a sophisticated threat actor focused on providing a reliable, high-quality tool for other criminals, rather than just conducting the attacks themselves.\n\n## Detection and Response\n- **For Users:** If you suspect your device is infected, look for unusual battery drain, high data usage, or apps that you don't remember installing. The best course of action is to perform a factory reset of the device after backing up important data (like photos). After resetting, change the passwords for all accounts that were used on the device.\n- **Check Permissions:** Regularly review the permissions granted to your apps. Be especially wary of any app that has permission to \"install unknown apps.\"\n\n## Mitigation\n1.  **Avoid Sideloading Apps:** The most effective mitigation is to only install applications from the official Google Play Store. Disable the \"Install from unknown sources\" permission on your Android device.\n2.  **Scrutinize App Permissions:** When installing any new app, even from the Play Store, carefully review the permissions it requests. A simple game does not need access to your contacts and messages.\n3.  **Use a Mobile Security App:** Reputable mobile antivirus solutions can detect and block known malware like Mirax.\n4.  **Be Wary of Ads:** Exercise caution when clicking on advertisements, especially those that promise free or premium versions of popular apps. If an ad directs you to a website to download an APK file, it is almost certainly malicious.","📱 New Android RAT 'Mirax' infects 220k+ devices via Meta ads! The malware turns phones into SOCKS5 proxies and is sold as a private MaaS. Beware of sideloading apps from ads. #Android #Malware #CyberSecurity #Mirax","A new Android RAT named Mirax is spreading via malicious ads on Facebook and Instagram, infecting over 220,000 users and turning their devices into SOCKS5 proxies as part of a Malware-as-a-Service operation.",[13,14,15],"Malware","Mobile Security","Threat Actor","high",[18,21,24,28,31,34],{"name":19,"type":20},"Mirax RAT","malware",{"name":22,"type":23},"Mirax Bot","threat_actor",{"name":25,"type":26,"url":27},"Meta","company","https://about.facebook.com/",{"name":29,"type":26,"url":30},"GitHub","https://github.com/",{"name":32,"type":33},"Outpost24","security_organization",{"name":35,"type":36},"SOCKS5","technology",[],[39,44],{"url":40,"title":41,"friendly_name":42,"website":43},"https://securityaffairs.co/161906/malware/mirax-android-rat.html","Mirax malware campaign hits 220K accounts, enables full remote control","Security Affairs","securityaffairs.co",{"url":45,"title":46,"friendly_name":47,"website":48},"https://www.bankinfosecurity.com/mirax-rat-targets-android-devices-through-meta-apps-a-24869","Mirax RAT Targets Android Devices Through Meta Apps","BankInfoSecurity","bankinfosecurity.com",[50,53],{"datetime":51,"summary":52},"2026-03-01T00:00:00Z","The Mirax RAT campaign is first identified by researchers.",{"datetime":54,"summary":55},"2026-04-15T00:00:00Z","Public reports emerge detailing the Mirax campaign and its Malware-as-a-Service model.",[57,61,65,69],{"id":58,"name":59,"tactic":60},"T1475","Install from Unknown Sources","Defense Evasion",{"id":62,"name":63,"tactic":64},"T1417","Input Capture","Collection",{"id":66,"name":67,"tactic":68},"T1429","Remote Access Tools","Command and Control",{"id":70,"name":71,"tactic":72},"T1437","Sideloading","Initial Access",[74,79,84],{"id":75,"name":76,"description":77,"domain":78},"M1042","Disable or Remove Feature or Program","Disabling the 'Install from unknown sources' feature on Android devices is the most effective mitigation against this threat.","mobile",{"id":80,"name":81,"description":82,"domain":83},"M1017","User Training","Educating users about the dangers of sideloading applications and clicking on suspicious ads is a critical preventative measure.","enterprise",{"id":85,"name":86,"description":87,"domain":78},"M1049","Antivirus/Antimalware","Using a reputable mobile security application can help detect and block the installation of malicious APKs.",[89,95],{"technique_id":90,"technique_name":91,"url":92,"recommendation":93,"mitre_mitigation_id":94},"D3-ACH","Application Configuration Hardening","https://d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening","The most critical defense against the Mirax RAT is to harden the configuration of the Android OS itself. Specifically, users must ensure that the 'Install from unknown sources' setting is disabled. This single setting prevents the installation of any application (APK file) that does not come from the official Google Play Store. The entire Mirax attack chain relies on tricking the user into enabling this feature. By proactively disabling it, users can effectively shut down this primary infection vector. For enterprise environments with managed mobile devices (MDM), this setting should be enforced via policy so that end-users cannot change it.","M1054",{"technique_id":96,"technique_name":97,"url":98,"recommendation":99,"mitre_mitigation_id":100},"D3-EDL","Executable Denylisting","https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting","For users who have already been infected or are at high risk, mobile security software that incorporates executable denylisting can provide protection. Reputable mobile antivirus and security applications maintain blocklists of known malicious APKs and their signatures. When a user attempts to download or install a file matching a known malicious signature, the security software will block the action and alert the user. While this is a reactive measure, it is an important layer of defense for catching known threats like Mirax, especially for users who may be more susceptible to the social engineering tactics used in the malicious Meta ads.","M1038",[],[103,108,113],{"type":104,"value":105,"description":106,"context":107,"confidence":16},"file_name","*.apk","The malware is distributed as an Android Application Package (APK) file, often hosted on GitHub or third-party websites linked from ads.","Web proxy logs, browser download history",{"type":109,"value":110,"description":111,"context":112,"confidence":16},"network_traffic_pattern","Outbound SOCKS5 traffic from an Android device","Unexplained SOCKS5 proxy traffic originating from a mobile device is a strong indicator of compromise by Mirax or similar proxyware.","Firewall logs, Netflow analysis",{"type":114,"value":115,"description":116,"context":117,"confidence":16},"string_pattern","Enable 'Install from unknown sources'","Social engineering lure used by the malware to gain the necessary permissions to be installed outside of the Google Play Store.","User education, security awareness training",[119,13,120,121,25,122,123,35],"Android","RAT","Mirax","Facebook","MaaS","2026-04-15T15:00:00.000Z","NewsArticle",{"geographic_scope":127,"industries_affected":128,"other_affected":130,"people_affected_estimate":133},"regional",[129],"Telecommunications",[131,132],"Android users","Users of Meta platforms","220,000+","2026-04-15",3,1776260636392]