Mirax expands the mobile fraud playbook

Mirax, an emerging Android banking trojan being marketed as a malware-as-a-service operation, is drawing attention from mobile security researchers after reports that it can do more than steal banking credentials. Analysts say the malware can remotely control infected phones and repurpose them as residential proxy nodes, giving cybercriminals a way to hide malicious traffic behind ordinary consumer devices while pursuing financial fraud across Europe.

The threat stands out because it appears to combine several criminal tactics in one package. Researchers tracking Mirax say the malware is being promoted on underground forums as a service for hire, lowering the barrier to entry for fraud actors who do not need to build their own tools. Once installed, it can present fake overlays on top of legitimate banking and payment apps to capture usernames, passwords and one-time passcodes. Security analysts also say it supports hidden remote control of infected devices, allowing attackers to navigate apps and authorise transactions without obvious signs to the user.

What has sharpened concern is the proxy capability. According to the research now circulating in the cyber threat community, infected devices can be turned into SOCKS5 or residential proxy nodes, letting operators route traffic through compromised handsets. That makes the phones useful beyond direct account theft, because the same devices can help disguise follow-on fraud, abuse geo-targeted services or support other criminal campaigns that benefit from appearing to come from residential internet connections rather than known hostile infrastructure.

Researchers have tied the campaign largely to Europe, with indications that Spanish-speaking users are a particular focus. One threat intelligence summary said the malware had spread through fake lures and infrastructure designed to reach users in that segment, while security write-ups described Mirax as part of a broader wave of Android malware that is becoming more specialised, modular and commercially packaged. The naming varies slightly across reports, with some referring to “Mirax” and others to “Mirax Bot”, but the core description is consistent: a banking-focused Android threat with remote access features and commercial distribution.

That commercial model matters. The cybercrime ecosystem has been moving steadily towards subscription-based tools, with operators renting malware, phishing kits and access infrastructure much as legitimate software vendors sell cloud services. In Mirax’s case, one industry report said the malware was being advertised privately for as much as $2,500 a month. Such pricing suggests sellers believe there is sustained demand for mobile-first fraud tools that can help bypass stronger bank security, especially as desktop banking attacks become easier to detect and banks shift more customer activity to smartphones.

Mirax also fits a wider pattern in mobile financial crime. Security firms have spent the past year tracking Android malware families that abuse accessibility permissions, overlays, SMS interception and remote control to defeat multi-factor authentication. What makes Mirax notable is the breadth of the toolkit reportedly bundled into one service, including support for hundreds of banking and payment application “injects” and the ability to log keystrokes, intercept messages and record lock-screen information. For defenders, that means the line between classic banking trojans and full remote access tools is blurring further.

For users, the infection chain remains a critical weakness. Publicly available reporting on Mirax points to distribution methods that rely on social engineering, including malicious advertisements and droppers hosted on familiar platforms. That reflects a broader shift in mobile threats: attackers increasingly depend on convincing victims to install software outside trusted app stores or to grant intrusive permissions after installation. Once that trust is broken, the malware can move quickly from credential harvesting to persistent device abuse.

Banks and telecom security teams are likely to watch this threat closely for another reason: residential proxies can complicate detection. Fraud systems often flag logins or transactions from suspicious infrastructure, but a hijacked phone on a household connection can look less anomalous. That does not make fraud invisible, yet it can make attribution and blocking harder, particularly when criminals blend stolen credentials, live device control and local-looking network traffic in the same operation. The result is a more adaptable model of mobile fraud, one that turns the victim’s handset into both a target and a tool.