Mirax expands the mobile fraud playbook

Mirax, an emerging Android banking trojan being marketed as a malware-as-a-service operation, is drawing attention from mobile security researchers after reports that it can do more than steal banking credentials. Analysts say the malware can remotely control infected phones and repurpose them as residential proxy nodes, giving cybercriminals a way to hide malicious traffic behind ordinary consumer devices while pursuing financial fraud across Europe.

The threat stands out because it appears to combine several criminal tactics in one package. Researchers tracking Mirax say the malware is being promoted on underground forums as a service for hire, lowering the barrier to entry for fraud actors who do not need to build their own tools. Once installed, it can present fake overlays on top of legitimate banking and payment apps to capture usernames, passwords and one-time passcodes. Security analysts also say it supports hidden remote control of infected devices, allowing attackers to navigate apps and authorise transactions without obvious signs to the user.

ADVERTISEMENT

What has sharpened concern is the proxy capability. According to the research now circulating in the cyber threat community, infected devices can be turned into SOCKS5 or residential proxy nodes, letting operators route traffic through compromised handsets. That makes the phones useful beyond direct account theft, because the same devices can help disguise follow-on fraud, abuse geo-targeted services or support other criminal campaigns that benefit from appearing to come from residential internet connections rather than known hostile infrastructure.

Researchers have tied the campaign largely to Europe, with indications that Spanish-speaking users are a particular focus. One threat intelligence summary said the malware had spread through fake lures and infrastructure designed to reach users in that segment, while security write-ups described Mirax as part of a broader wave of Android malware that is becoming more specialised, modular and commercially packaged. The naming varies slightly across reports, with some referring to “Mirax” and others to “Mirax Bot”, but the core description is consistent: a banking-focused Android threat with remote access features and commercial distribution.

That commercial model matters. The cybercrime ecosystem has been moving steadily towards subscription-based tools, with operators renting malware, phishing kits and access infrastructure much as legitimate software vendors sell cloud services. In Mirax’s case, one industry report said the malware was being advertised privately for as much as $2,500 a month. Such pricing suggests sellers believe there is sustained demand for mobile-first fraud tools that can help bypass stronger bank security, especially as desktop banking attacks become easier to detect and banks shift more customer activity to smartphones.

Mirax also fits a wider pattern in mobile financial crime. Security firms have spent the past year tracking Android malware families that abuse accessibility permissions, overlays, SMS interception and remote control to defeat multi-factor authentication. What makes Mirax notable is the breadth of the toolkit reportedly bundled into one service, including support for hundreds of banking and payment application “injects” and the ability to log keystrokes, intercept messages and record lock-screen information. For defenders, that means the line between classic banking trojans and full remote access tools is blurring further.

For users, the infection chain remains a critical weakness. Publicly available reporting on Mirax points to distribution methods that rely on social engineering, including malicious advertisements and droppers hosted on familiar platforms. That reflects a broader shift in mobile threats: attackers increasingly depend on convincing victims to install software outside trusted app stores or to grant intrusive permissions after installation. Once that trust is broken, the malware can move quickly from credential harvesting to persistent device abuse.

ADVERTISEMENT

Banks and telecom security teams are likely to watch this threat closely for another reason: residential proxies can complicate detection. Fraud systems often flag logins or transactions from suspicious infrastructure, but a hijacked phone on a household connection can look less anomalous. That does not make fraud invisible, yet it can make attribution and blocking harder, particularly when criminals blend stolen credentials, live device control and local-looking network traffic in the same operation. The result is a more adaptable model of mobile fraud, one that turns the victim’s handset into both a target and a tool.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com
Just in:
Central & Western District Youth-to-Career Explo Connects Hong Kong Youth to Future Careers in AI Era // Trump scraps Hormuz levy but tightens Iran blockade // Paymentology and T2P partner to accelerate the future of card issuing in Thailand // Dealing.com claims record for tokenised stock access // US missiles disable tanker bound for Iran // Louis Vuitton Celebrates 130 Years of the Monogram // Alessio Vinassa: ‘Generative AI Is the Most Important Creative Tool Since the Camera — and the Most Misunderstood’ // A SIM Guide to Comparing Graduate Salaries and Employability in Singapore // Revolut clears first hurdle for Dubai crypto launch // Xsolla and Management and Science University (MSU) Sign Memorandum of Understanding (MOU) to Connect Future Game Developers With Global Commercial Opportunities // Dubai weighs turning organic waste into aviation fuel // Rhenus to Further Strengthen Warehousing Solutions in the Philippines // Launch ceremony of third edition of Hong Kong Fashion Fest Held on July 9 // CyCraft Named a Sample Provider in the Gartner® Latest AI Reasoning Models Report—The Only Taiwan-Based Cybersecurity Provider Listed // DITP Launches THAI SELECT Festival 2026 in New York to Strengthen U.S. Market Opportunities for Thailand’s Food Industry // Gadkari’s Ethanol Defence Is Losing The Public Argument // Guardian Fire expands Midwest reach with Nebraska deal // UK sets overnight social media curfew for teens // Iran widens energy threat as Hormuz battle escalates // AI tools sharpen cybercrime as quishing surges //