Mirax Android RAT: Your Phone Could Be a Proxy

A New Android Malware Is Using Your Phone as a Proxy

Cybersecurity researchers have uncovered a sophisticated new threat called the Mirax Android RAT, a Remote Access Trojan that has quietly reached over 220,000 users through advertisements served on Meta platforms including Facebook and Instagram. What makes Mirax particularly notable is not just its scale, but what it does once installed: it converts infected Android devices into nodes in a SOCKS5 proxy network, effectively turning ordinary smartphones into tools that route criminal internet traffic.

If you have ever clicked on a mobile ad and been prompted to install an app outside of the official Google Play Store, this threat is relevant to you.

What Is a SOCKS5 Proxy Botnet and Why Do Criminals Build Them?

To understand why Mirax is dangerous, it helps to understand what SOCKS5 proxies are and why they are valuable to cybercriminals.

A SOCKS5 proxy is a type of internet relay that routes network traffic through an intermediary device. Legitimate uses exist: businesses use proxies for network management, and privacy-conscious users sometimes route traffic through trusted servers to mask their IP addresses. SOCKS5 is flexible and fast, making it attractive for both legitimate and malicious purposes.

Criminals, however, prize proxy networks for a specific reason: anonymity. When attackers route their activity through thousands of compromised smartphones, their real location and identity become nearly impossible to trace. Each infected device acts as a stepping stone. Investigators following the trail of a cyberattack may end up pointing at an innocent person's phone in another country rather than at the actual attacker.

This is also why botnet-based proxy networks are commercially valuable in criminal markets. Operators can rent out access to these networks, providing other bad actors with a distributed, constantly refreshing pool of residential IP addresses that look far more legitimate than data center servers typically flagged by security systems.

The Mirax RAT appears designed to build exactly this kind of infrastructure, while simultaneously stealing personal data from infected devices.

How Mirax Spreads Through Meta Advertising

The delivery mechanism for Mirax is worth examining carefully because it exploits something most users have become comfortable with: social media ads.

Researchers found that Mirax reached its 220,000-plus victims through malicious advertisements running on Meta platforms. These ads likely directed users to download applications outside of official app stores, a technique known as sideloading. Android's open architecture allows users to install apps from third-party sources, which is a feature that malware distributors consistently exploit.

The use of paid advertising to distribute malware reflects a broader shift in how cybercriminals operate. Rather than relying solely on phishing emails or compromised websites, threat actors are now investing in legitimate ad infrastructure to reach large audiences quickly and convincingly. A well-crafted ad can appear trustworthy, especially when it runs alongside content from friends and family.

Meta has systems in place to detect and remove malicious ads, but the scale of its advertising platform means that some campaigns inevitably slip through before being caught.

What This Means For You

If you use an Android device and regularly interact with social media ads, the Mirax campaign is a direct reminder of several practical risks.

First, your device can be compromised without your knowledge and used to facilitate criminal activity. Being part of a botnet does not necessarily cause obvious symptoms. Your phone may run slightly warmer or drain its battery faster, but many users would not notice or would attribute those signs to something else.

Second, the goals that criminal proxy networks serve, specifically masking traffic and hiding identity online, are the same goals that consumers legitimately pursue through VPNs and privacy tools. The critical difference is consent and security. A legitimate VPN routes your own traffic through a trusted, encrypted server you have chosen. A botnet routes someone else's criminal traffic through your device without your knowledge, exposing you to potential legal scrutiny and consuming your bandwidth and data.

Third, encountering ads for applications on social media platforms does not make those applications safe. The source of an ad does not guarantee the legitimacy of what is being advertised.

Actionable Steps to Protect Your Android Device

Protecting yourself from threats like Mirax does not require technical expertise, but it does require consistent habits.

• Only install apps from the Google Play Store. Avoid sideloading applications prompted by ads, links in messages, or third-party websites, regardless of how legitimate they appear.
• Review app permissions carefully. A flashlight app does not need access to your contacts or the ability to run background network services. Excessive permissions are a warning sign.
• Keep your operating system and apps updated. Security patches close vulnerabilities that malware exploits.
• Use reputable mobile security software. Several well-regarded security applications can detect known malware families and flag suspicious behavior.
• Be skeptical of mobile ads promoting app downloads. If an ad is pushing you toward an installation, verify the app through official channels before proceeding.
• Monitor your data usage. Unexplained spikes in background data consumption can indicate that your device is being used for purposes you did not authorize.

The Mirax Android RAT is a clear example of how criminal operations have matured to exploit everyday digital habits at scale. Understanding how these attacks work is the first step toward making choices that keep your device, your data, and your internet connection genuinely your own.