Dateline: April 14, 2026
Spanish-Speaking Android Users Hit by Mirax RAT Through Facebook Ads
A new Android malware called Mirax has infected more than 220,000 accounts across Facebook, Instagram, and Messenger through targeted advertising campaigns. The remote access trojan primarily targets Spanish-speaking countries and converts infected devices into SOCKS5 proxy networks.
What Happened?
Cybersecurity researchers discovered the Mirax Android RAT spreading through Meta’s advertising platform, specifically targeting users in Spanish-speaking regions. The malware campaign reached over 220,000 accounts across Facebook, Instagram, and Messenger platforms.
Once installed, Mirax transforms infected Android devices into SOCKS5 proxy servers. This allows cybercriminals to route their internet traffic through compromised phones, hiding their true location and identity during attacks. The malware operates silently in the background while victims use their devices normally.
The attackers distributed Mirax through legitimate-looking advertisements on Meta platforms. These ads likely promoted fake apps or services that, when downloaded, installed the malicious software. The campaign’s focus on Spanish-speaking countries suggests attackers chose regions where they could craft convincing local content.
Security firms tracking the threat found that Mirax includes typical remote access trojan capabilities. The malware can steal personal data, intercept messages, and record device activity. But its primary function appears to be creating a vast network of proxy servers for criminal operations.
The Impact
The scale of this attack shows how cybercriminals abuse major advertising platforms to distribute malware. Meta’s massive user base and sophisticated targeting tools make it an attractive vector for threat actors seeking wide distribution.
Devices infected with Mirax become part of a botnet that criminals can rent or sell to other bad actors. This proxy network helps mask illegal activities like fraud, data theft, and cyberattacks. Victims unknowingly provide the infrastructure for crimes while potentially facing legal scrutiny if their IP addresses appear in security logs.
The targeting of Spanish-speaking users reflects a broader trend of cybercriminals focusing on specific regions and languages. This approach allows attackers to create more believable social engineering campaigns and exploit local cultural knowledge to trick victims.
How to Avoid This
Android users should only download apps from the official Google Play Store and avoid clicking on suspicious advertisements, especially those promoting unknown apps or services. Even ads on major platforms like Facebook can distribute malware.
Check your device for unusual network activity or performance issues. Mirax operates as a proxy server, which can slow internet speeds or cause unexpected data usage. Review your monthly data consumption for unexplained spikes.
Install reputable mobile security software that can detect and remove Android malware. Keep your device’s operating system updated, as newer Android versions include security improvements that make infection harder. If you suspect your device is compromised, disconnect from the internet immediately and run a full security scan.
