Mirax Android RAT: Bypassing Security via Malicious Meta Ads

The Mirax malware campaign represents a significant escalation in mobile threat delivery methods. According to The Hacker News, the campaign has successfully reached over 220,000 accounts across the Meta ecosystem, including Facebook, Instagram, Messenger, and Threads. This specific operation targets Spanish-speaking users, leveraging the trust associated with social media advertisements to distribute a sophisticated remote access trojan.

Mirax is designed with a dual-purpose capability: data exfiltration and network proxying. By integrating SOCKS5 proxy functionality, the attackers can transform a compromised mobile device into a network exit point. This allows threat actors to mask their origin and perform subsequent malicious activities—such as credential stuffing or bypassing geographical restrictions—using the IP address of a legitimate mobile user. This makes the campaign particularly dangerous as it turns innocent users’ devices into infrastructure for further cybercrime.

Detecting Mirax Android RAT Exploitation

Security analysts must look for specific indicators that suggest a device has been onboarded into the Mirax botnet. Detection efforts should focus on anomalous network behavior, particularly persistent connections to unknown C2 infrastructure that do not align with standard application behavior. Because the malware leverages social media platforms for initial delivery, analysts should also monitor for unauthorized APK downloads originating from browser sessions initiated within social media apps.

Android SOCKS5 Proxy Malware Analysis

Technical analysis reveals that Mirax utilizes the SOCKS5 protocol to tunnel traffic, which is a common TTP used to evade traditional perimeter security. Unlike standard malware that simply exfiltrates data, Mirax’s proxy capability creates a persistent, silent presence on the device. This enables attackers to leverage the victim’s residential connection, effectively bypassing IP-based reputation systems and SOC alerts that might otherwise flag traffic from known malicious data centers.

The malware often gains initial access through Phishing tactics disguised as legitimate software updates or utility apps within social media feeds. Once active, the IoC footprint includes increased battery consumption and unexpected data usage as the device serves as a relay for external traffic. In many cases, the infected device becomes part of a larger APT-like infrastructure used for anonymizing broader offensive operations.

Preventing Malicious Meta Ads Campaigns

Mitigating the risk of Mirax requires a multi-layered approach to mobile security. Organizations should prioritize user education regarding the dangers of sideloading applications from non-official sources, even when presented through reputable platforms like Facebook or Messenger.

Defensive strategies should align with the MITRE ATT&CK framework for mobile, specifically focusing on ingress tool transfer and command and scripting interpreters. Deploying SIEM solutions that correlate mobile device logs with network traffic can help identify the unauthorized proxying behavior characteristic of this campaign. Furthermore, enterprises should implement strict mobile device management (MDM) policies. These policies should disable the “Install from Unknown Sources” setting by default and enforce regular security scans. While no specific CVE is currently associated with this campaign—as it relies on social engineering rather than software exploits—the scale of the distribution via Meta Ads demonstrates the effectiveness of malvertising in the modern threat landscape.