Infected devices are no longer subject to the commands of the rightful owner.
In the market of Android-magnesties there is a new player who can not only steal data and intercept the control of the smartphone, but also use other people's devices as a convenient intermediate hub for new attacks. Mirax quickly gained popularity in the criminal environment and has already been noted by campaigns against users in Spanish-speaking countries, where attackers promoted infected applications through advertising in Meta services.
About the new scheme told Cleafy specialists. According to them, Mirax is distributed as a closed service for a limited number of partners. Access to the platform, judging by the observations, is obtained primarily by participants of Russian-speaking underground communities with a reputation. This approach helps the authors of the malware better hide operations and avoid leaks longer.
Malicious is disguised as IPTV apps, video viewing, IoT devices, and even adult content. Users are lured to phishing pages through advertisements on Facebook and Instagram, and then offer to download the APK file with GitHub Releases. Links check if the page is open from a mobile device to make it difficult to analyze. Cleafy estimates the coverage of noticed advertising campaigns in more than 200 thousand accounts.
After installation, Mirax accesses remote device control functions. Operators can view the screen, control the interface, run applications, collect SMS, the contents of the exchange buffer and information about the blocking of the screen, including the parameters of the PIN code, the graphic key and biometrics. To steal data, Mirax loads from the HTML lining server and shows them on top of legitimate programs, including banking and cryptocurrency.
The main feature of the new campaign is related to another function. Mirax is able to turn an infected smartphone into a resident proxy node. Through SOCKS5 support and the Yamux mechanism, attackers can direct their own traffic through the victim’s real IP address.
Such a scheme helps to bypass geographical constraints, reduce the risk of anti-fraud systems, and use compromised devices not only for direct fraud, but also as part of a wider criminal infrastructure.
The authors of the report believe that Mirax shows a new stage in the development of Android threats. If earlier resident proxies were more often associated with IoT botnets and cheap Android devices, now a similar mechanism has been built into a full-fledged banking Trojan with surveillance and remote access functions. Such a set makes each infection noticeably more profitable for operators and expands scenarios of abuse even in cases where the complete capture of the device failed.
In the market of Android-magnesties there is a new player who can not only steal data and intercept the control of the smartphone, but also use other people's devices as a convenient intermediate hub for new attacks. Mirax quickly gained popularity in the criminal environment and has already been noted by campaigns against users in Spanish-speaking countries, where attackers promoted infected applications through advertising in Meta services.
About the new scheme told Cleafy specialists. According to them, Mirax is distributed as a closed service for a limited number of partners. Access to the platform, judging by the observations, is obtained primarily by participants of Russian-speaking underground communities with a reputation. This approach helps the authors of the malware better hide operations and avoid leaks longer.
Malicious is disguised as IPTV apps, video viewing, IoT devices, and even adult content. Users are lured to phishing pages through advertisements on Facebook and Instagram, and then offer to download the APK file with GitHub Releases. Links check if the page is open from a mobile device to make it difficult to analyze. Cleafy estimates the coverage of noticed advertising campaigns in more than 200 thousand accounts.
After installation, Mirax accesses remote device control functions. Operators can view the screen, control the interface, run applications, collect SMS, the contents of the exchange buffer and information about the blocking of the screen, including the parameters of the PIN code, the graphic key and biometrics. To steal data, Mirax loads from the HTML lining server and shows them on top of legitimate programs, including banking and cryptocurrency.
The main feature of the new campaign is related to another function. Mirax is able to turn an infected smartphone into a resident proxy node. Through SOCKS5 support and the Yamux mechanism, attackers can direct their own traffic through the victim’s real IP address.
Such a scheme helps to bypass geographical constraints, reduce the risk of anti-fraud systems, and use compromised devices not only for direct fraud, but also as part of a wider criminal infrastructure.
The authors of the report believe that Mirax shows a new stage in the development of Android threats. If earlier resident proxies were more often associated with IoT botnets and cheap Android devices, now a similar mechanism has been built into a full-fledged banking Trojan with surveillance and remote access functions. Such a set makes each infection noticeably more profitable for operators and expands scenarios of abuse even in cases where the complete capture of the device failed.
