Three separate disclosures this week paint a consistent picture: Android devices - and the cryptocurrency wallets on them - are facing escalating, multi-vector pressure from threat actors ranging from Malware-as-a-Service operators to supply-chain vulnerabilities in third-party SDKs.
Mirax RAT: Banking Trojan Meets Residential Proxy
Italian fraud prevention firm Cleafy published details on Mirax, an Android RAT distributed through a private MaaS model priced at $2,500 for a three-month subscription. 1Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads — The Hacker News What sets Mirax apart from conventional mobile trojans is its dual purpose: beyond standard keylogging, overlay attacks, and credential theft, it converts infected devices into SOCKS5 residential proxy nodes using Yamux multiplexing. 1Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads — The Hacker News
This proxy layer lets attackers route traffic through victims' real IP addresses - useful for bypassing geolocation restrictions and evading fraud detection during account takeovers. Campaigns promoting Mirax dropper apps via Meta ad platforms have reached more than 220,000 accounts, primarily targeting Spanish-speaking users. 1Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads — The Hacker News The ads pose as free streaming services; dropper APKs are hosted on GitHub. Once installed, the malware masquerades as a video player and abuses Accessibility Services to operate undetected.
Access to the Mirax MaaS is restricted to a small number of Russian-speaking affiliates with established reputations in underground forums, suggesting deliberate operational security by the developer. 1Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads — The Hacker News
EngageLab SDK: Supply-Chain Risk at Scale
Microsoft's Defender Security Research Team disclosed a now-patched intent redirection vulnerability in version 4.5.4 of the EngageLab push-notification SDK. 2EngageLab SDK Flaw Exposed 50M Android Users, Including 30M Crypto Wallet Installs — The Hacker News Intent redirection - where a malicious app exploits the trusted context and permissions of another app - allowed any local app on the same device to bypass Android's sandboxing model and access private data belonging to apps that embedded the SDK.
The vulnerable SDK was integrated into apps with more than 50 million total installs, of which roughly 30 million were cryptocurrency and digital wallet applications. 2EngageLab SDK Flaw Exposed 50M Android Users, Including 30M Crypto Wallet Installs — The Hacker News EngageLab patched the flaw in version 5.2.1, released in November 2025, and affected apps have been removed from Google Play. Microsoft noted no evidence of in-the-wild exploitation but stressed the cascading risk: a single upstream library weakness can silently compromise millions of downstream installs.
SparkCat Returns With Enhanced Obfuscation
Kaspersky documented a new variant of SparkCat, the OCR-based infostealer first identified in February 2025. 3New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images — The Hacker News The updated version was found in three apps - one on Google Play and two on the Apple App Store - disguised as an enterprise messenger and food delivery services. SparkCat scans victims' photo galleries using optical character recognition to identify and exfiltrate images containing cryptocurrency wallet recovery (seed) phrases. 3New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images — The Hacker News
The Android variant now incorporates code virtualization and cross-platform tooling to resist analysis. It targets Japanese, Korean, and Chinese keywords, pointing to an Asian-focused campaign, while the iOS variant scans for English-language mnemonic phrases, broadening its potential reach globally. 3New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images — The Hacker News
The Bigger Picture
These three threats converge on a single insight: mobile devices are increasingly treated as high-value infrastructure by attackers, not just endpoints. Mirax monetizes infections twice - once through direct fraud, once through proxy resale. EngageLab demonstrates that supply-chain trust assumptions in mobile SDKs remain fragile. SparkCat shows that official app stores continue to be infiltrated despite review processes.
For defenders, the takeaway is layered: keep SDKs updated, audit third-party dependencies, treat Accessibility Service grants as a critical monitoring signal, and assume that app store provenance alone is insufficient assurance.
Bild: towel.studio / Unsplash
