A new and potentially dangerous Android banking malware known as Mirax Bot has emerged in the global cybercrime ecosystem, raising serious concerns for mobile users and financial institutions. Cybersecurity researchers say the malware is being actively promoted on underground cybercriminal forums and is designed specifically to carry out financial fraud and bank account takeovers.
Malware-as-a-Service Model
According to security experts, Mirax Bot is being sold under a Malware-as-a-Service (MaaS) model, meaning cybercriminals can rent the tool to conduct large-scale fraud operations without needing advanced technical skills. This model allows even low-level criminals to deploy sophisticated malware campaigns targeting Android devices around the world.
The malware is reportedly being advertised on the underground marketplace ExploitForum, a well-known cybercriminal platform where hacking tools, stolen data, and fraud services are frequently traded. Reports claim that Mirax Bot supports more than 700 application injects, enabling attackers to target hundreds of banking, cryptocurrency wallet, and payment applications.
FCRF Launches Flagship Certified Fraud Investigator (CFI) Program
HVNC Remote Device Control
One of the most alarming features of Mirax Bot is its use of Hidden Virtual Network Computing (HVNC) technology. This capability allows cybercriminals to remotely control an infected Android device without the user noticing any visible activity.
Using HVNC, attackers can secretly open banking apps, authorize transactions, transfer funds, and extract sensitive information through a hidden parallel session, all while the device owner remains unaware that the phone is being manipulated remotely. Through these injects, the malware can display convincing fake overlays that mimic legitimate app interfaces, tricking users into entering sensitive details such as login credentials, card information, and one-time passwords (OTP).
The malware is reportedly being offered in multiple rental packages. Available listings suggest that a 30-day “Light Package” costs around $1,750, while a 14-day package costs approximately $1,000. An additional tool called an APK Loader, which helps distribute and install the malicious app on victims’ devices, is being offered as an add-on for about $500.
Residential Proxy Capability
Cybersecurity researchers from KrakenLabs first flagged the advertisement for Mirax Bot on March 5, 2026, after tracking its promotion across underground cybercriminal platforms. Another concerning feature of Mirax Bot is its ability to turn an infected device into a residential proxy. In this scenario, attackers route their malicious traffic through the victim’s own internet connection.
As a result, fraudulent banking activity appears to originate from the victim’s device and IP address, making it much harder for security systems to detect suspicious behavior in real time. Experts say this technique can significantly weaken traditional banking fraud detection systems, which often rely on IP address monitoring and device recognition to identify suspicious activity.
FutureCrime Summit 2026: Registrations to Open Soon for India’s Biggest Cybercrime Conference
Android User Protection Advised
Renowned cybercrime expert and former IPS officer Prof. Triveni Singh says the rapid growth of mobile banking has made Android devices a prime target for cybercriminals. Cybersecurity specialists have advised Android users to adopt strict safety practices. They recommend downloading applications only from official app stores, avoiding APK installations from unknown or untrusted sources, and carefully reviewing app permissions before granting access.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
