Mirax Android malware turns infected phones into residential proxy nodes

A newly documented Android malware family called Mirax is targeting users through fake streaming and IPTV lures spread with paid ads on Meta platforms. Cleafy says the malware has appeared in campaigns since March 2026 and can steal credentials, take control of devices, and turn infected phones into residential proxy nodes that route attacker traffic through the victim’s home IP address.

That proxy feature is what makes Mirax stand out. Cleafy says the malware uses SOCKS5 support with Yamux multiplexing over WebSocket channels, which lets attackers push different kinds of traffic through an infected device while making it look like activity from a normal residential user.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The campaign also shows how mobile malware operators keep adapting their delivery methods. Researchers say Mirax has been marketed since December 19, 2025, as a malware-as-a-service offering for a small number of trusted affiliates, mainly Russian-speaking actors, rather than as a widely sold crimeware kit.

How the attack works

According to Cleafy, the infection chain starts with social media ads that lead users to phishing pages posing as streaming or IPTV services. Victims then download an Android package hosted on GitHub Releases instead of the Play Store, which fits the scam because users already expect unofficial streaming apps to require sideloading.

Once installed, the dropper decrypts and delivers the final payload, disguises itself as a video playback utility, and asks for Accessibility Services. Cleafy says the app then runs in the background while showing a fake error page so the victim believes the install failed.

Researchers also say the operators rotate package hashes daily on GitHub Releases even when the underlying app content does not change. That helps the malware avoid simple hash-based detection without forcing the attackers to rebuild the whole package every day.

Why defenders should pay attention

Mirax does more than run classic banking-trojan tricks. Security reporting based on the Cleafy research says the campaigns reached more than 220,000 accounts across Facebook, Instagram, Messenger, and Threads, which suggests the operators are willing to spend on scale while keeping distribution controlled.

The proxy function creates a second revenue stream for the attackers. By routing traffic through compromised phones, they can hide malicious activity behind real residential IP addresses, which may help them bypass geolocation filters, fraud controls, and reputation-based defenses. That last point is an inference drawn from the residential proxy capability described by Cleafy.

Cleafy also says Mirax can still activate its proxy module even if the victim refuses the Accessibility Services request. That means the attackers may still profit from partially compromised devices, even when full device-control features do not activate.

Mirax at a glance

Source: Cleafy research and follow-up reporting.

What users and security teams should do

• Avoid sideloading Android apps from links in social media ads, especially streaming or IPTV offers.
• Review Accessibility permissions and remove access for unknown or suspicious apps.
• Check devices for recently installed apps disguised as video or playback tools.
• Monitor for unusual proxy-like traffic from mobile devices connected to corporate services.
• Block or review GitHub Releases downloads tied to known phishing delivery chains when that fits your environment.

These are defensive recommendations based on the delivery and behavior described in the Cleafy report.

FAQ