Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads

By /






Mirax Android RAT: Turning Devices into SOCKS5 Proxies via Meta Ads


Mirax Android RAT: Turning Devices into SOCKS5 Proxies via Meta Ads

A new Android Remote Access Trojan (RAT) named Mirax has been identified actively targeting Spanish-speaking countries. What sets Mirax apart is its distribution method: threat actors are leveraging advertisements on Meta platforms (Facebook, Instagram, Messenger, and Threads) to infect devices. This campaign has already reached over 220,000 accounts, highlighting the significant reach and potential impact of this emerging threat.

What is Mirax?

Mirax is a potent Android RAT with a focus on transforming infected devices into SOCKS5 proxies. This capability allows attackers to route malicious traffic through these compromised devices, effectively masking their true location and actions. The implication is significant: Mirax turns everyday smartphones into unwitting participants in a global network of botnets and proxy services used for various nefarious purposes.

Beyond proxying, Mirax integrates standard RAT functionalities, granting threat actors significant control over infected devices. This includes:

  • Remote Control: Full access and control over the device’s functions.
  • Data Exfiltration: Stealing sensitive information such as contacts, SMS messages, call logs, and installed applications.
  • File Management: Uploading, downloading, and deleting files on the device.
  • Location Tracking: Monitoring the device’s location.
  • Camera and Microphone Access: Recording audio and video without user consent.
  • SMS/MMS Manipulation: Sending and receiving SMS/MMS messages.
  • Network Traffic Interception: Intercepting and analyzing network traffic from the device.

Distribution via Meta Ads

The most concerning aspect of Mirax is its innovative distribution method. Cybercriminals are actively using advertisements on Meta platforms to lure users into downloading the malicious application. The exact nature of these advertisements varies, but common tactics include:

  • Fake Productivity Apps: Advertising seemingly legitimate utility apps, such as task managers, file cleaners, or battery optimizers.
  • Prizes and Contests: Promoting fraudulent contests or sweepstakes that require users to download an app to participate.
  • Social Engineering: Using emotionally charged or misleading content to trick users into clicking on malicious links.

When a user clicks on these ads, they are typically redirected to a malicious website or a fake app store where the Mirax-infected application is hosted. Users, believing they are downloading a legitimate application, unknowingly install the RAT onto their devices.

Technical Analysis

Preliminary analysis suggests that Mirax is written in Java/Kotlin (common for Android apps) and uses standard Android permissions to gain access to device functionalities. The SOCKS5 proxy functionality is likely implemented using standard networking libraries. More detailed reverse engineering is needed to fully understand the malware’s inner workings and command-and-control (C2) infrastructure.

Example of potentially dangerous Android permissions requested by Mirax:


<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="android.permission.READ_SMS" />
<uses-permission android:name="android.permission.RECEIVE_SMS" />
<uses-permission android:name="android.permission.SEND_SMS" />
<uses-permission android:name="android.permission.READ_CALL_LOG" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.RECORD_AUDIO" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />

These permissions, while not inherently malicious, should raise red flags if an application’s functionality doesn’t justify them. For example, a simple calculator app shouldn’t require access to your contacts, SMS messages, or camera.

Impact and Risks

The impact of Mirax is multifaceted:

  • Compromised Devices as Proxies: Infected devices become part of a botnet, contributing to malicious activities such as distributed denial-of-service (DDoS) attacks, spam campaigns, and credential stuffing.
  • Privacy Violation: Personal data, including contacts, SMS messages, and location data, is stolen and potentially sold on the dark web or used for identity theft.
  • Financial Loss: Threat actors can use the compromised device for fraudulent financial transactions or to access online banking accounts.
  • Reputational Damage: If your device is used to launch attacks, it can be associated with malicious activities, potentially leading to legal and reputational repercussions.

Mitigation and Prevention

Protecting yourself from threats like Mirax requires a multi-layered approach:

  • Be Skeptical of Ads: Exercise caution when clicking on advertisements, especially those promising unrealistic rewards or benefits. Verify offers directly through the official website of the company promoting them.
  • Download Apps from Trusted Sources: Only download applications from official app stores like Google Play Store. Even then, carefully review app permissions and read user reviews before installing.
  • Enable Google Play Protect: Google Play Protect scans apps on your device for malware. Ensure it’s enabled in your Google Play Store settings.
  • Keep Your Device Updated: Regularly update your Android operating system and installed applications to patch security vulnerabilities.
  • Use a Mobile Antivirus Solution: Consider using a reputable mobile antivirus application to detect and remove malware.
  • Review App Permissions: Regularly review the permissions granted to your installed applications and revoke any unnecessary permissions.
  • Monitor Network Activity: Be vigilant for unusual data usage or network activity on your device, which could indicate a compromise.
  • Factory Reset: If you suspect your device has been infected, consider performing a factory reset to remove the malware. Back up your important data before performing a factory reset.

Reporting to Meta

It’s critical to report suspicious advertisements promoting malicious software to Meta (Facebook, Instagram, etc.). This allows Meta to take action against the offending accounts and advertisements, preventing further infections.

Conclusion

The Mirax Android RAT campaign demonstrates the evolving tactics of cybercriminals. By leveraging the vast reach of Meta’s advertising platform, they are able to distribute malware on a large scale, targeting unsuspecting users. Staying vigilant, educating users about the risks, and implementing strong security measures are crucial in mitigating the threat posed by Mirax and similar Android RATs.

Continuous monitoring and analysis are underway to track the evolution of Mirax and develop effective countermeasures. We will continue to update this blog post with new information as it becomes available.


Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top