Mirax Android banking trojan with residential proxy nodes
Malware Activity
Summary
Hide ▲
Show ▼
Mirax is spreading across Europe with remote access and residential proxy features, increasing the risk of device compromise, data theft, and traffic abuse. The Android banking trojan is reaching Spanish-speaking users through social media ads and fake IPTV or streaming apps. It can execute commands, deploy fake overlays, and collect credentials through continuous keylogging and lock-screen surveillance. By turning infected phones into proxy nodes, it can route malicious traffic through legitimate IP addresses and evade fraud controls.
Related Happenings
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
BTMOB Android RAT no-code builder malware activity
Malware Activity
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
The **BTMOB** Android RAT is spreading through **phishing campaigns** across **Brazil and beyond**, raising the risk of **custom payload delivery** and **remote device takeover**....
BTMOB Android RAT no-code builder malware activity
Malware ActivityAbout this happening: The **BTMOB** Android RAT is spreading through **phishing campaigns** across **Brazil and beyond**, raising the risk of **custom payload delivery** and **remote device takeover**....
Trapdoor Android malvertising and ad-fraud campaign
Campaign
First: 19.05.2026 19:38
Last: 19.05.2026 19:38
Sources 1
About this happening:
The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Trapdoor Android malvertising and ad-fraud campaign
CampaignAbout this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/Service
First: 13.05.2026 09:55
Last: 13.05.2026 09:55
Sources 1
About this happening:
**Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/ServiceAbout this happening: **Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
Android 17 expands platform security and privacy protections
Security Tool/Service
First: 12.05.2026 20:00
Last: 12.05.2026 20:00
Sources 1
About this happening:
**Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Android 17 expands platform security and privacy protections
Security Tool/ServiceAbout this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Timeline
-
13.04.2026 17:30 2 articles · 1mo ago
Mirax Android banking trojan spreads across Europe
Initial DisclosureMirax, a newly identified Android banking trojan, is spreading across Europe and targeting Spanish-speaking users through social media advertisements that promote fake IPTV or streaming apps. The malware operates under a restricted Malware-as-a-Service (MaaS) model, can take real-time control of infected devices, execute commands, deploy dynamically fetched fake overlays, establish communication through WebSockets, run continuous keylogging, collect lock screen details such as PIN structure and biometric usage, and convert compromised phones into residential proxy nodes for traffic routing and fraud evasion. Campaigns have reached more than 200,000 accounts.
Show sources
- Mirax Android Trojan Turns Devices Into Residential Proxy Nodes — www.infosecurity-magazine.com — 13.04.2026 17:30
- Mirax Android Trojan Turns Devices Into Residential Proxy Nodes — www.infosecurity-magazine.com — 13.04.2026 17:30