Why Standard Methods Donβt Work for Xiaomi
Viruses on smartphones Xiaomi, Redmi and POCO They are often disguised as system processes. MIUI, And that makes them invisible to most antiviruses, and unlike other brands, here the virus can hide in folders. /system/priv-app/, You can replace com.miui.daemon or even block access to Recovery. Standard tips like "install Dr.Web" won't work here, you need manual methods that are specific to firmware. MIUI.
The peculiarity of Xiaomi is that even after resetting to factory settings, some viruses are saved in the section. /persist Or backups of Mi Cloud, like Agent.SM, which is a Trojan that's distributed in the U.S. 2023β2026 In the years since, he has been creating hidden device administrators that are not removed from the settings menu. This article covers Xiaomi-unique techniques, including working with the user. ADB, Editing a build.prop file and cleaning up a Dalvik cache is something that isnβt in the general instructions.
Signs of infection: how to distinguish the virus from glucose MIUI
MIUI It's itself guilty of strange behaviors, like opening a Mi Browser ad spontaneously or hanging out because of memory optimization, but there are 100 percent signs of the virus that are not related to the firmware features:
- π± Unknown apps are on the installed list (even after a reset) often masquerading as "Google Play Services Update" or "MIUI System Optimizer".
- π° SMS to paid numbers (check Settings) β SIM-maps and mobile networks β Traffic usage: FakeBank sends messages to numbers like +79xxxxxx890.
- π Battery discharge in 2-3 hours standby. Check settings β Battery β Battery use β if there is a mediaserver or com.android.system process eating 30%+, It's a virus.
- π Redirect to sites when you open any links (including Google) Typical of HiddenAds virus.
If you're watching at least 2 If you look at these signs, don't try to treat your phone with an antivirus -- it'll only remove the symptoms and the core of the virus will remain. For example, Avast or Kaspersky can find a "threat" in the folder. /data/app/, but miss the main module in /system/xbin/.
β οΈ Note: Viruses on Xiaomi often block access to Settings β If you try to open the list of applications and see an error "Com.android.settings process stopped", it means that the virus has changed the system file. Settings.apk. In this case, immediately proceed to the method of ADB.
Preparation: What to do before manual cleaning
Before you start deleting, follow 3 mandatory steps, and ignoring them can lead to a device blink (completely inoperable) or data loss:
- Create a backup through Settings β Additionally. β Backup and reset β Local backup. Viruses can block this process -- if you don't make a copy, use XiaomiTool. V2 PC-only.
- Put the debugging on. USB: Go to Settings. β The phone. β Version. MIUI and tap 7 times on the line to activate the developer mode. β Additionally. β For developers and enable debugging by USB and Unlock. OEM.
- Download the necessary tools: π₯οΈ Android SDK Platform-Tools (for the purposes of ADB-team). π List of engineering codes MIUI (You need to access the hidden menu). π MT Manager or Root Explorer (if root rights are available).
If the virus blocks access to settings, use the emergency debugging method:
1. Turn off the phone.
2. Press the power button + volume up until the Mi logo appears.
3. From the Recovery menu, select Advanced β Enable ADB.Method 1: Remove through hidden settings MIUI (PCless)
This works if the virus has not yet acquired the superuser rights. MIUI Hidden menus that are not dokumented in the official certificate.
Step 1. Verification of device administrators
Many viruses (such as Android.Triada) are registered as administrators, which blocks their removal.
- Open the phone app and enter the code: ##4636###.
- Go to the Usage Statistics menu β Admin apps.
- If you see unknown applications (such as Device Test or System Update Service), remember their names.
Step 2: Delete via the "Special Opportunities" menu
Some viruses are disguised as accessibility services to turn them off:
- Go to Settings β Special features β Special features Services.
- Disable all unknown services (such as TalkBack Helper or Accessibility Suite).
- Back to Settings β Annexes β All applications and find the same names. Click Delete (if the button is inactive, go to the method with the ADB).
Step 3. Clearing Dalvik's cache
Viruses often leave their modules in the Dalvik cache, which leads to reinfection after rebooting.
- Enter the code ##36446337## (test menu will open).
- Choose a Single Test β Dalvik Cache Test.
- Press Clear Cache and restart the phone.
βοΈ Checklist before removal of the virus
Method 2: Removal of the virus through ADB (power-user)
If the virus has blocked access to settings or masquerades as system processes, you will need to ADB (Android Debug Bridge This method allows you to delete virus files directly from the PC command line.
Step 1: Connecting your phone to your PC
- Connect your phone to your computer through USB-cable (original! Chinese cables may not transmit data).
- On the phone in the notification panel, select File Transfer (MTP) mode.
- Open the command line (Windows) or the terminal (Mac/Linux) in the folder with the platform-tools.
- Enter the command to check the connection: Adb devices must appear serial number of your device.
Step 2: Search and remove virus packets
First, we get a list of all the packages installed and find suspicious ones:
adb shell pm list packages -fLook for packages with names like:
- com.android.system.update (fake)
- com.qualcomm.telephony (unless you have a Qualcomm processor)
- com.miui.analytics (if you haven't installed it)
To remove the found package:
adb shell pm uninstall -k --user 0 name packetStep 3: Delete virus files from system folders
If the virus is hidden in the system folders, you will need to mount the partition. /system recording:
adb shell
su
mount -o rw,remount /systemThen delete the virus files (example for Agent.SM Trojan):
rm -f /system/priv-app/SystemUpdate/SystemUpdate.apk
rm -f /system/xbin/su (if it's not your root access!)
rm -f /data/local/tmp/*β οΈ Note: Removing files from /system without root rights can lead to a bootloop cycle. If the phone does not turn on after rebooting, you need to flash the device through Fastboot (instructions in the next section).
π‘
If ADB Can't see the device, try reinstalling the Mi drivers USB Driver from the official Xiaomi website. for Windows can also help the utility Zadig to replace the driver with libusb.
Method 3: Fastboot Flashing (extreme case)
If a virus has damaged system files or blocked access to Recovery, the only reliable way is to completely flash through Fastboot, which erases all data on the phone, including viruses in partitions. /system and /persist.
Step 1. Download the firmware
- Go to MIUI Downloads website.
- Choose your model (for example, Redmi Note 11 Pro)+ 5G) and download Fastboot firmware (file with.tgz extension).
- Unpack the archive in the platform-tools folder (where fastboot.exe is located).
Step 2. Firmware through Fastboot
- Turn off the phone and press Power + Volume down to log into Fastboot Mode.
- Connect your phone to your PC and check for detection: fastboot devices
- Start the firmware (for Windows): fastboot flash all Mac/Linux:./flash_all.sh
Step 3: Unlock the bootloader (if required)
On new Xiaomi models (released after 2021), the bootloader is locked to unlock it:
- Link your Mi Account to your device in Settings β Xiaomi account β Mi Cloud.
- Go to the Mi Unlock website and download the Mi Unlock Tool.
- Follow the instructions (you may need to wait 7-14 days for new accounts).
| Xiaomi model | MIUI version | Do I need to unlock the bootloader for the firmware? | Risk of a breeze when firmware |
|---|---|---|---|
| Redmi Note 10 Pro | MIUI 13β14 | Yes. | Low (1-2%) |
| POCO X3 Pro | MIUI 12.5 | Yes. | Average (5%) |
| Xiaomi 12T | MIUI 14 | Yes (required) | High (10%) |
| Redmi 9A | MIUI 12 | No. | Minimum |
π‘
Fastboot firmware is the only method that is guaranteed to remove viruses from partitions /system and /vendor. However, it requires unlocking the bootloader, which resets all data and can lead to a loss of warranty.
How to prevent re-infection
After removal of the virus, it is necessary to close the "plad" in safety MIUI, This is what we need to do:
- π Disable the installation from unknown sources: Go to Settings β Annexes β Special access β Install unknown applications. Disable permission for Mi Browser, Files and other applications.
- π‘οΈ Set up the built-in scanner MIUI: Open Security. β Virus scanner. Turn on real-time scanner and download check. Add only trusted applications (e.g. Termux or F-Droid) to exceptions).
Blocking Advertising at System Level
- Install Blokada or AdGuard from F-Droid (not from Google Play!).
- In the settings, select Local VPN-Mode and add EasyList filter lists + Malware Domains.
It is also recommended to disable automatic updates. MIUI, Some viruses are spread through fake OTA-packet:
- Go to Settings β About the phone β System update.
- Slap the icon. βοΈ in the upper right corner and disable Automatic Download via mobile network.
- Turn on the Update Check manually.
List of dangerous applications for Xiaomi
Frequent Mistakes and How to Avoid Them
Many users make things worse by following advice from outdated instructions.-5 errors and their consequences:
| Mistake. | Effects of consequences | How right. |
|---|---|---|
| Reset to factory settings through the settings menu | The virus stays in /persist and /cache | Use Wipe Data in Recovery or Fastboot Firmware |
| Installation of antivirus from Google Play | The virus blocks the work of the antivirus or disguises itself as it | First remove the virus manually, then install Malwarebytes from the official website. |
| Delete virus files without backup | Data loss or device blink | Always create a backup with adb backup or XiaomiTool |
| Using root rights to remove the virus | The virus can get root access before you. | First remove the virus through ADB, Then get root if you need to) |
| Firmware through Recovery instead of Fastboot | The virus may remain in the /system | For complete cleaning, use only Fastboot |
If the virus remains after all the manipulations, check:
- π± SIM card: Some viruses (such as Simjacker) store their modules on the computer. SIM. Try inserting another card.
- π Charger: Viruses can be transmitted through infected USB-Ports (especially in public places).
- βοΈ Mi Cloud account: virus could sync to cloud reset password and turn off sync for 24 hours.