Introduction: why miners are dangerous for Xiaomi smartphones
Hidden cryptocurrency mining on Xiaomi smartphones has become one of the most insidious threats of 2023-2026. Unlike traditional viruses, miners do not steal your data - they steal the resources of the device, turning it into a "farm" for mining cryptocurrency. Redmi Note, POCO X and Mi 11 models are especially vulnerable due to their powerful Snapdragon 8xxx and Dimensity processors, which are ideal for mining Monero or Ethereum Classic.
To make matters worse, 90% of Android miners are disguised as MIUI systems, which are almost impossible to detect without special tools. For example, com.qualcomm.thermalservice can consume up to 40% of CPUs in the background, and users will write off overheating as โbad firmware.โ
Signs of Miners Infection on Xiaomi
The first step is diagnostics. Mining viruses are specific, and their symptoms are often confused with hardware problems.
- ๐ฅ Overheating even on simple tasks (e.g., +50ยฐC on WhatsApp). Normally for Snapdragon 8 Gen 2, up to 42ยฐC in plain.
- ๐ Dramatic drop in battery life: If the Redmi Note 12 Pro+ discharges in 4-5 hours without active use, that is a worrying sign.
- โก Suspicious activity CPU in Settings โ Battery State โ Usage CPU Miners are often masquerading as mediaserver or android.process.acore processes.
- ๐ Internet Slowdown: Miners consume traffic to communicate with pools (e.g. minexmr.com or pool.supportxmr.com).
The critical sign is activity at night. Miners often start when the phone is connected to charging and the screen is off.
- Connect your phone to charge before bedtime.
- In the morning, open the settings โ Battery โ Use schedule.
- If the chart shows a constant load of 30-70% in the โsleepโ mode, it is almost a minerโs guarantee.
How to check Xiaomi phone for miner
For accurate diagnosis, use a combination of system tools and third-party utilities. Start with the built-in MIUI tools:
Verification by "Battery state"
Go to Settings โ Battery โ Battery status โ Using the CPU. Pay attention to:
- ๐ Processes with a constant load of 20%+ (e.g., com.android.systemui should not consume more than 5% in idle).
- ๐ Operating time: If a process has been running for 10+ hours in a row, it is suspicious.
- ๐ Unknown names: Miners often masquerade as Google Play Services (but consume 3-5 times more resources).
2. Analysis of network activity
Miners exchange data with pools to find them.
- Install NetGuard (free on Google Play).
- Start monitoring traffic for 10-15 minutes.
- Check for suspicious domains: pool., mine., stratum+tcp://.
Typical โminingโ domains in 2026:
| domain | Type of mining | Danger. |
|---|---|---|
| pool.supportxmr.com | Monero (XMR) | Tall. |
| minexmr.com | Monero | Medium |
| etn.heavenpool.eu | Electroneum | Low. |
| stratum+tcp://xmr.pool.gntl.co.uk | Monero | Tall. |
๐ก
If you find a suspicious domain, copy it and check it through VirusTotal service โ this will help confirm that it is associated with mining.
Manual removal of the miner: step-by-step instructions
If you've confirmed an infection, delete it. Don't use the antiviruses from Google Play, most of which are useless against today's miners.
Step 1: Remove suspicious applications
Miners often penetrate through:
- ๐ฑ Pirate APK (hacked games modified by TikTok/Instagram)
- ๐ Fake updates (e.g., Update MIUI 15" before official release).
- ๐ฎ Free Fire, PUBG Mobile (Ph000)
How to delete:
- Go to Settings โ Applications โ Application Management.
- Sort by installation date โ miners are often installed in โpacksโ with other programs.
- Delete anything suspicious, especially with ADMIN or SYSTEM_ALERT.
Step 2: Cleaning up the autoload
Miners add themselves to autoboot to start after the reboot. To turn off:
- Install Autostarts (requires root or ADB).
- Find processes with the names miner, pool, xmr.
- Turn off their auto-start and delete.
โ๏ธ Checklist before deleting miner
Step 3: Removal through ADB (for Advanced)
If the miner is embedded in the system processes, ADB will help. Connect the phone to the PC and do:
adb shell pm list packages | grep -i "mine\|pool\|xmr"Then remove the packages found:
adb shell pm uninstall -k --user 0 com.example.malwareWhat if ADB does not find a miner?
Deleting the miner without losing data (a way for beginners)
If manual methods don't help or you're afraid of damaging the system, use a secure reset.This method saves your files but deletes all apps and settings:
- Go to Settings โ About the phone โ Reset settings.
- Select "Reset all settings" (Do not "Delete all data!").
- After the reboot, do not restore data from the backup โ the miner can return!
- Install only verified apps from Google Play.
Important: this method does not remove miners embedded in the firmware (for example, through a modified boot.img). If the problem persists after the reset, you need to flash it again.
๐ก
Backups made after infection may contain a miner. Never restore a system from a suspicious backup!
How to protect Xiaomi from miners in the future
Prevention is the best treatment. Follow the rules.
- ๐ก๏ธ Disable the installation from unknown sources (Settings โ Applications โ Special Rights).
- ๐ Check application rights: Miners often request ACCESS_BACKGROUND_LOCATION or REQUEST_INSTALL_PACKAGES.
- ๐ฑ Use alternative firmware: LineageOS or Pixel Experience are free of vulnerabilities MIUI.
- ๐ Update the firmware: MIUI 14+ has closed critical holes used by miners (e.g., the Dirty Pipe vulnerability).
For additional protection:
- Install Bouncer โ it gives temporary permissions to applications.
- Use NetGuard to block suspicious connections.
- Check your phone regularly through Malwarebytes (the only antivirus that detects miners on Xiaomi).
What to do if the miner returns after deleting
If the miner appears again, it means:
- It is embedded in the firmware (for example, through modified recovery).
- You recovered it from an infected backup.
- There is a root access on the phone that exploits the malware.
Decisions:
- ๐ง Frisk your phone through the Mi Flash Tool (instructions for your model on the official website).
- ๐ Close the root access if it has been opened (via Magisk โ Uninstall).
- ๐ฆ Remove all backups made after infection.
โ ๏ธ Warning: If a miner comes back after flashing, it could indicate a hardware chip miner (found in fake Xiaomi from unofficial stores).