Mirax, a nascent Android remote access trojan, is being spread via Meta ads that lure Spanish-speaking users to dropper pages masquerading as streaming services and has reached over 220,000 accounts. It couples full RAT functionality with a SOCKS5 residential proxy using Yamux multiplexing to enable real-time device control, credential theft via overlays, and traffic routing through victimsβ IPs. #Mirax #Meta
Keypoints
- Mirax targets Spanish-speaking users via Meta ads and malicious dropper pages posing as streaming services.
- It provides full RAT functionality including keystroke capture, photo theft, UI navigation, and credential-stealing overlays.
- Infected devices can be converted into SOCKS5 residential proxies with Yamux multiplexing for geolocation evasion and fraud.
- The malware is offered as a private MaaS with subscription pricing and crypter options like Virbox and Golden Crypt.
- Dropper APKs are hosted on GitHub, employ multi-stage extraction, request accessibility and unknown-source installs, and use anti-analysis checks.
Read More: https://thehackernews.com/2026/04/mirax-android-rat-turns-devices-into.html