Finding hidden files or suspicious objects on a Xiaomi Redmi smartphone is a task that requires care and knowledge of the features of the MIUI operating system. Many users face the need to check the device for unauthorized changes, especially if the phone was bought from hand, had strange behavior or suddenly began to consume more traffic. It is important to understand that the term "bookmark" in the context of smartphones can mean both a physical device (for example, a bug) and software (spyware, backdoors, hidden services).
Redmi makes search difficult because of the closed MIUI ecosystem, where some system files are hidden from the user by default. However, with standard tools and third-party applications, you can conduct in-depth diagnostics. In this article, we will analyze legitimate search methods (without hacking the system), and also tell you what to look for so as not to confuse conventional system processes with a potential threat.
โ ๏ธ Warning: Not all suspicious files are bookmarks. For example, the /data/com.miui.securitycenter folder is a Xiaomi standard antivirus, and the com.xiaomi.midrop process is responsible for fast file transfer, and removing such components can disrupt the system.
1. Physical device check: where can the bug be hidden
Before digging into the software, check out Xiaomi Redmi for physical manipulation. Modern bugs can be the size of a coin and hidden in the following places:
- ๐ Under the battery: On removable battery models (like the Redmi 4A or Redmi 5), check the space under the lid. Look for small black boxes with antenna.
- ๐ฑ In the SIM- card slot: Some wiretaps disguise themselves as a second SIM- card. Check the tray for any outside contacts.
- ๐ Near the charging socket: Microphones can be soldered into a board near the USB- port, and the sign is that the case is unusually heated in this location.
- ๐ง In the headphone jack: Rarely, but there are devices that transmit sound through the 3.5mm jack (relevant to older Redmi Note 3/4 models).
If you find a suspicious object, do not try to remove it yourself - this can damage the board. It is better to contact the service center to check the integrity of the hardware. For models with a fixed battery (for example, the Redmi Note 10 Pro), the physical examination is better entrusted to professionals.
โ ๏ธ Warning: Some bugs may be disguised as regular components, such as a second noise-cancellation microphone, and if the phone starts to behave strangely after repair, it's a good idea to check for foreign parts.
2. Search for hidden files and folders in MIUI
The MIUI operating system hides some of the system files by default, and to see them, you need to enable the display of hidden elements in the file manager:
- Open the Files app (the folder icon on the desktop).
- Slip on three dots in the upper right corner โ Settings.
- Activate the option to show hidden files.
- Return to the root directory (/) and check the following folders: /data โ system data (root rights are required for full access). /system โ firmware and preinstalled applications. /sdcard/.thumbnails โ thumbnail cache (sometimes used for masking). /sdcard/MIUI โ service shell files.
Note files with unusual extensions (such as.apk in non-standard folders) or change dates that do not match your actions.
- ๐ Folders with random names (e.g., xx12345 or temp_backup).
- ๐ Files with 777 rights (full access for all users)
- ๐ Items modified while the phone was off or roaming.
A critical sign of bookmarking: the presence of files in the /system/bin folder with unknown names (such as suhide or busybox), if you did not install custom firmware, such files may belong to root access or backdoor.
โ๏ธ What to check in the file manager
3. Analysis of installed applications
Many tabs are disguised as regular apps to identify them:
- Go to Settings โ Applications โ Application Management.
- Sort the list by installation date (โฎ โ Sorting โ Time of installation).
- Check out apps with unfamiliar names or โcogโ/empty leafโ icons.
- Click on the suspicious app and examine: ๐ฅ Permissions: Microphone Access, Geolocation, SMS for no reason. ๐ Traffic Use: In Settings โ Network and Internet โ Traffic Use. ๐ Auto Run: In Settings โ Battery and Performance โ Auto Run Management.
Pay special attention to the applications with names:
- ๐ก๏ธ com.android.system.update โ may be legitimate, but sometimes it is replaced.
- ๐ com.qualcomm... โ unless you have Snapdragon, it's suspicious.
- ๐ก com.xiaomi.mipush.sdk is a full-time push notification service, but may be abused.
For a deep analysis, use VirusTotal:
- Download the APK of the suspicious app via APK Extractor (from Google Play).
- Upload the file to VirusTotal.
- Check out antivirus reports (especially Kaspersky and Dr.Web).
๐ก
If the application cannot be removed in the standard way (the "Delete" button is inactive), this is a sign of system software or bookmarks. Try disabling it in the settings or using the ADB- command:
adb shell pm uninstall -k --user 0 name.packet4. Checking network activity
Bookmarks often transmit data over the network to identify them:
- Install NetGuard (without root) or PCAPdroid (for deep analysis).
- Run traffic monitoring and note: ๐ Unknown IP- addresses: Especially in China, the United States or Russia (if you haven't visited them). ๐ค Permanent outbound connections: Even when the phone is on standby. ๐ DNS- query suspicious domains:*.miui.com out of updates.
list
Examples of normal compounds for Redmi:
| Process | Domain/IP | Appointment |
|---|---|---|
| com.miui.analytics | data.mistat.xiaomi.com | Anonymous statistics collection (can be turned off) |
| com.xiaomi.xmsf | api.io.mi.com | Push Notifications and Cloud Services |
| com.android.vending | *.googleapis.com | Google Play Services |
| com.miui.securitycenter | api.misafesdk.com | Security and scanning |
โ ๏ธ Note: If you see connections with IP-Addresses in the ranges 185... or 91... (often used for proxies and VPN), this may indicate a data breach. VPN-programs without your knowledge.
5. Root access check and system modifications
Many bookmarks require root rights to disguise them, to check for them:
- Install Root Checker from Google Play.
- Run a check. If it's positive, someone has accessed your phone root.
- Check for root management applications (SuperSU, Magisk Manager).
- Examine /system/build.prop file for strings: ro.secure=0 โ Firmware signature check is disabled. ro.debuggable=1 โ debugging mode is enabled.
If the root access is detected but you have not installed it:
- ๐ ๏ธ Reset your phone to factory settings (Settings โ About Phone โ Reset settings).
- ๐ Fly the device through the Mi Flash Tool (instructions on the official website).
- ๐จ If the root remains after reset, it is a sign of hardware bookmarking (modified bootloader).
What if you find Magisk without your knowledge?
6.Use of antiviruses and specialized tools
Standard antiviruses (such as Avast or Dr.Web) may not detect a bookmark if it is deeply integrated into the system.
- ๐ก๏ธ Malwarebytes: Specializes in spyware and adware viruses.
- ๐ Kaspersky Mobile: Has a Chinese threat base (relevant to MIUI).
- ๐ก GlassWire: Monitors network activity in real time.
- ๐ง SD Maid: Cleans system debris and finds suspicious files.
Procedure:
- Install Malwarebytes and run a deep scan.
- Check the report for: Android/Trojan are data-stealing Trojans. Android/Spynote is spyware. Android/Backdoor are remote backdoors.
PCAPdroid
Wireshark
โ ๏ธ Warning: Some antiviruses may give false positives to system files MIUI (e.g., com.miui.securitycenter).
๐ก
If an antivirus has found a threat called Android/Xiaomi.Agent, it's not always a virus, it's often labeled legitimate MIUI services (for example, for updates), and check the official list of Xiaomi system packages.
7. Additional bookmarking features on Xiaomi Redmi
In addition to technical checks, pay attention to the indirect signs:
- ๐ Fast battery discharge: The bookmarks often run in the background, consuming energy. Check in Settings โ Battery โ Battery usage.
- ๐ถ Unexplained traffic: In Settings โ SIM-maps and mobile networks โ Using traffic look for horse racing at night.
- ๐ Noise in the speaker: When calling or recording voices, you hear interference - hardware wiretapping is possible.
- ๐ฑ Spontaneous actions: The phone turns on the camera, microphone, or transfers files without you.
- ๐ Unusual SMS: Messages from short numbers (e.g., +86...) or command codes (e.g., ##123##).
If you see at least 2-3 signs from the list, this is a good reason to deeply check.
- ๐จ The phone sends SMS to pay numbers (check Settings โ SIM- cards โ Costs for SMS).
- ๐ก Connects to unknown Wi-Fi networks (even if you have disabled your auto-connection).
- ๐ Heated off, a sign of background processes.
๐ก
If you suspect your phone is being tapped, do a test: call a friend and ask if you can hear any extraneous noises (such as echoes or clicks). For accurate diagnosis, use the Frequency Sound Analyzer app to check for ultrasonic signals (some bugs operate at 18-22 kHz frequencies).