Mirax Android RAT: when banking trojans become residential proxies

It’s been a rough few months for residential proxy networks. In March 2026, the DOJ and Europol took down SocksEscort, a criminal proxy service that had quietly enrolled 369,000 IP addresses across 163 countries. A few weeks earlier, Google’s Threat Intelligence Group disrupted IPIDEA, a network so large that they observed over 550 threat groups routing traffic through it in a single week. The FBI followed up with a public advisory warning consumers that their devices could be weaponised without their knowledge.

These takedowns highlight a persistent question: where does this proxy infrastructure come from? 

Part of the answer is sits on compromised consumer devices. Our Threat Intelligence team has been tracking a new Android RAT, Mirax, since March 2026. And what we found should change the conversation about mobile banking fraud in ways most fraud teams haven’t considered yet.

At first glance, Mirax looks like the Android banking trojans we’ve been tracking for years — families like TeaBot, Albiriox, and PlayPraetor. It uses dynamic HTML overlays to steal credentials from banking and crypto apps. It can take full remote control of a device through VNC. It intercepts SMS messages, logs keystrokes, and harvests lock-screen credentials.

But Mirax adds something we hadn’t seen baked into a mobile banking trojan before: a built-in SOCKS5 proxy module that turns every infected phone into a residential proxy node.

That’s worth sitting with for a moment. The same device used to steal a customer’s banking credentials could also be used as infrastructure, allowing other attackers to route their traffic through a clean, legitimate residential IP address. Two revenue streams, one infection. And even if the user never grants Accessibility Services and the full RAT fails to activate, the proxy module can still run in the background. The attacker doesn’t walk away empty-handed.

The malware is sold as a private Malware-as-a-Service, restricted to vetted, Russian-speaking affiliates. Campaigns currently target Spain through Meta advertisements reaching over 200,000 accounts, using fake sports streaming apps as bait. Our team has identified overlay templates for 182+ targeted applications and counting, all loaded dynamically from the attacker’s server, so new banks can be added to the hit list at any time.

For years, IP reputation and geolocation have been pillars of fraud detection stacks. If a transaction comes from the customer’s usual IP address, the right country, and a recognised device, it gets a lower risk score. That works well enough when attackers are operating from data centres or VPNs that can be flagged.

Mirax builds on a pattern already seen in other malware, extending it with integrated proxy functionality.  When attacker traffic is routed through a victim’s phone, it arrives from a genuine residential IP address in the correct geographic region. As per other malware already seen in the past, such as Albiriox, the IP appears clean because the traffic originates from a real user device in the expected geographic region. Geo-checks pass. IP scoring returns nothing suspicious. Device-IP binding holds.

And this is where regulation makes it even more urgent. Under PSD3 and the new Payment Services Regulation, European banks will carry increased liability for fraud they fail to detect. A threat that compromises the device, steals the credentials, and launders the traffic through a trusted IP all at once? That’s exactly the kind of attack that defeats traditional controls and triggers that liability.

Here’s the problem: no single detection layer catches this. App-level security doesn’t see the proxy traffic leaving the device. Network-level fraud detection trusts the IP because it’s legitimately residential. Transaction monitoring fires too late, after the credentials have already been harvested and the proxy infrastructure is already in use.

You need the ability to see across layers in real time: device integrity, session behaviour, and network signals, all correlated within a single view. That’s what the Cleafy platform does: end-to-end session visibility with white-box detection that explains exactly what triggered an alert — not just a score. Threats like Mirax don’t show up if you’re only watching one layer. They become visible when device compromise and anomalous session behaviour are analysed together, rather than in isolation. 

Our Threat Intelligence team identified Mirax through continuous monitoring of underground MaaS marketplaces, the same channels where we first spotted TeaBot, BingoMod, and dozens of other families before they hit mainstream detection. That early visibility feeds directly into the platform: intelligence from the field flows directly into detection rules, so our customers are protected before the broader industry even has a sample to analyse.

Mobile malware isn’t just about stealing credentials anymore. It’s becoming a multi-purpose infrastructure. Mirax is an early example, but it won’t be the last. With PSD3 shifting more fraud liability onto banks and the residential proxy economy growing rapidly, European financial institutions need to ask themselves whether they’ll have the visibility to catch these threats when (and not if!) they reach their customers.

Want to understand how Mirax could affect your institution, or see how Cleafy detects cross-layer threats in real-time? Get in touch with our team.