Mirax Android RAT Hijacks 220K Devices as SOCKS5 Proxies via Meta Ad Campaigns

A newly identified Android remote access trojan dubbed Mirax is being distributed through paid advertisements on Meta’s ad network, with the campaign reaching roughly 220,000 devices. Once installed, the malware conscripts infected handsets into a SOCKS5 proxy network, effectively renting out victim bandwidth and IP reputation to operators and downstream buyers.

The SOCKS5 proxy payload is the commercial core of the operation. Residential mobile IPs are high-value inventory for fraud rings, credential stuffing, ad-fraud farms, and nation-state traffic laundering, because they route around IP-reputation filters that flag datacenter traffic. Turning consumer phones into anonymization infrastructure means victims absorb the abuse signals — account bans, fraud blocks, law-enforcement attention — while the operators monetize the pipe.

The delivery vector is the more damning finding. Meta’s ad platform was the distribution channel at meaningful scale, meaning paid-traffic moderation failed to catch a malware-laden creative or landing page long enough to move six figures of installs. That is a supply-chain problem for the ad ecosystem itself: when the platform’s own delivery rails are the infection path, endpoint defenses and Play Protect heuristics are downstream mitigations at best.