Smartphone payments have become an integral part of everyday life, but with convenience come risks. MIUI HyperOS is no exception: scammers actively exploit vulnerabilities in the system, banking applications and even embedded services such as MIUI According to Group-IB, in 2023, one in five cases of theft of money from accounts was associated with the compromise of mobile devices β and Xiaomiβs share in this statistic is growing.
The problem is compounded by the fact that users often ignore basic security measures, relying on factory protection, but even new models like the Xiaomi 14 Ultra or Redmi Note 13 Pro are not available.+ Vulnerable to attacks through phishing sites, malicious APK-This article will not just list the threats, it will give specific instructions on how to neutralize them, from setting up hardware protections to blocking unauthorized transactions in real time.
We will pay special attention to hidden leak channels: for example, how fraudsters use the Mi Share function to intercept. OTP-Why connecting to public Wi-Fi networks on Xiaomi is 3 times more likely to compromise payment data than on other brands. MIUI 14 and HyperOS 1.0 with Chinese and global firmware features.
1.The main threats to payment security on Xiaomi
Xiaomi devices face a unique set of risks posed by architecture MIUI/HyperOS, And the brand's popularity among fraudsters:
- π Phishing through MIUI Wallet: Attackers send fake βblockingβ notifications with a link to a fake authorization page, especially dangerous for Xiaomi Pay users in China and Russia.
- π± Exploitation through ADB: Adb debugging bridge is enabled by default on many models (e.g, POCO X5 Pro), which allows you to remotely install malware.
- π MITM-Public Network Attacks: Mi Wi-Fi Assistant automatically connects to open access points where attackers intercept the traffic of banking applications.
- π³ Cloning NFC-Maps: Vulnerability in the chip NXP PN80T (used by Xiaomi 12T and newer) allows you to read map data at a distance of up to 10 cm.
According to Kaspersky Lab, in 2026, 42% of mobile wallet attacks are on devices with a mobile wallet. MIUI For example, the FakeBank Trojan disguises itself as an update to the Mi Security Center and intercepts the software. SMS confirmation-coded.
β οΈ Note: If you have ever installed APK-Files from sources outside of Google Play or Mi App Store, your device is 68% likely to be infected with spyware. β Annexes β Application management β Three points. β Show system and search for unknown services.
Another critical vulnerability is unauthorized access through Mi Account, where if an attacker gains access to your Xiaomi account, they can remotely unlock the device even if the device has a pattern lock installed on it. This is especially true for models with HyperOS, where the account binding to the hardware is weaker than in the case of the device. MIUI 13.
2. Hardware protection setup: from biometrics to Secure Folder
The first step to security is to properly configure the device itself, starting with the basic but often ignored settings:
- π Turn it off. ADB-Debugging: Go to Settings β The phone. β Version. MIUI (Press 7 times to activate the developer mode, then in Settings β Additionally. β For developers β Debugging by USB and deactivate the option.
- π Set up confirmation gestures: In Settings β Lock screen β Additional settings include βGestoring Confirmationβ for payments β this will add a second authentication step.
- π Use Secure Folder: In MIUI 14+ App isolation is now available. Move the banking applications there: Settings β Confidentiality β Secure Folder.
For models with HyperOS (e.g. Xiaomi 14), the "Payment Hardware Insulation" feature is available.
- Open Settings β Google β Security.
- Choose Hardware Payment Protection.
- Turn on the option and confirm through PIN-card.
Pay special attention to the setting NFC. By default, Xiaomiβs Quick Payments feature is enabled, allowing transactions up to 1,000β½ without unlocking the screen. Turn it off in Settings. β Connections β NFC β Payment settings.
Disable debugging by USB (ADB)
Install PIN-code SIM-map
Activate Secure Folder for banking applications
Disable Autoconnection to Public Wi-Fi
Set up two-factor authentication in Mi Account-->
3. Protection MIUI Wallet and Xiaomi Pay: step-by-step instructions
MIUI Wallet and Xiaomi Pay are integrated into Xiaomiβs ecosystem, but their protection is often inferior to decisions from Google or Samsung:
Step 1: Linking to a hardware key
Unlike Google Pay, Xiaomi Pay does not use StrongBox (hardware security module) to enable it:
- Open up. MIUI Wallet.
- Go to Settings. β Security of payments.
- Select Use the hardware key (option available on Snapdragon 8 Gen 2)+).
Step 2: Limiting geolocation
Xiaomi Pay transmits location data by default for each transaction. β Confidentiality β Permits β MIUI Wallet β Geolocation.
Step 3: Blocking Notifications
Notification from MIUI Wallet may contain sensitive information (such as the last digits of the map) and can be hidden through: β Notifications β MIUI Wallet β Confidentiality of notices.
| Threat. | Xiaomi model | Protection |
|---|---|---|
| Interception. NFC-transaction | Xiaomi 13T Pro, Redmi K60 | Disable "Quick Payments" in NFC-setting |
| Phishing through Mi Push | All models with MIUI 12+ | Disable notifications from com.xiaomi.mipush |
| Data breaches via Mi Cloud | HyperOS devices | Turn off sync. MIUI Wallet in the cloud |
β οΈ Note: If you use Xiaomi Pay in China, your transactions can be processed through UnionPay servers without encryption. TLS 1.3 We recommend linking the card only through Google Pay or a bank application with support 3D Secure 2.0.
π‘
Before adding the map to MIUI Wallet check it through the service BIN List β some banks (e.g. Tinkoff) block transactions with Xiaomi wallets due to high risk of fraud.
4.Blocking fraudulent transactions in real time
Even with the security on, payments can be compromised, and here's how to quickly block unauthorized transactions:
Method 1. SMS-bank-team
Most Russian banks support emergency blocking of the SMS. Keep in touch the following numbers and commands:
- π¦ Sberbank: send Block 1234 (where 1234 is the last digits of the card) to 900.
- π³ Tinkoff: Call me on the phone 8 800 555-10-10 and follow voice instructions.
- π° VTB: Send the Block to 900.
Method 2: Blocking through Mi Security
V MIUI 14+ There is a built-in function of blocking payments:
- Open Security (Shield icon).
- Go to Payment Protection β Emergency lockdown.
- Enter. PIN-code from Mi Account.
This feature sends a request to block all associated cards in the MIUI Wallet and Google Pay.
Method 3: Remote locking through Find Device
If your device is stolen, lock it through Find Device:
- Sign in to the Mi Account.
- Select the device and press Lock.
- Activate the option to erase data (this will delete all payment tokens).
What to do if the fraudster has already written off the money?
5. Protection against phishing and malware
Phishing attacks on Xiaomi are often disguised as system notifications, and hereβs how to detect and prevent them:
Signs of phishing:
- π Notice requesting βupdate map dataβ in MIUI Wallet (real updates are available without a password request).
- π The link leads to a domain other than mi.com or google.com (e.g. mi-pay-security.com).
- π± Installation request APK-file under the pretext of "payment protection".
How to block phishing:
- Open Settings β Applications β Application Management.
- Find Mi Browser and turn off the permission to Show over other windows.
- B Settings β Google β Security Enable Phishing Protection.
To verify the authenticity of notifications, use the official Mi Verify app (available from the Mi App Store). QR-codes and links to the database of legitimate services Xiaomi.
Malware removal:
If you suspect an infection, follow the following steps:
- Go to Settings. β The phone. β Version. MIUI Check for unauthorized updates.
- Install Malwarebytes from Google Play and run a deep scan.
- If threats are found, restart the device in Safe Mode (press the power button). β Long press on βSwitch Offβ and remove suspicious apps.
π‘
Never enter card details in applications that request permission to access the card. SMS Legitimate payment services (Google Pay, Sberbank Online) do not require such permissions.
6. Security of banking applications: features for Xiaomi
Banking applications on Xiaomi often run unstable due to conflicts with the company. MIUI Optimization. Here's how to make sure they work and protect:
Setup for Sberbank Online, Tinkoff, VTB:
- π‘οΈ Turn off optimization: Go to Settings β Annexes β Application management β Three points. β Special access β Battery Optimization and Select All Apps. Find a Bank App and Turn Off Optimization.
- π Stop Automatic Update: Turn off Auto Update for banking apps on Google Play (they may contain vulnerabilities in newer versions).
- π‘ Use it. VPN For transactions: Set up ProtonVPN or Warp to connect to servers in your bankβs country (this will protect you from the use of the system). MITM-attack).
Problems with push notifications
On Xiaomi, notifications from banking apps often fail due to aggressive energy saving policies.
- Go to Settings β Notifications β Notifications Management.
- Find the banking app and enable Important Notifications.
- B Settings β Battery β Battery mode select Performance.
Protection against keyloggers
keyboard MIUI By default, it does not encrypt input in banking applications. Install an alternative keyboard with SSL-pinning support, for example:
- Gboard (enable Safe Entering in Settings).
- SwiftKey with Incognito Mode option.
7. Additional measures: from SIM-swap to antivirus
Even with a secure device, fraudsters can bypass it through a telecom operator or social engineering, and consider advanced security techniques.
1.SIM-swap protection
SIM-swap is a replacement for yours. SIM-card-snatcher SMS with codes, to prevent it from happening:
- π± Put it in. PIN-code SIM-map (default is disabled) You can do this through Settings β SIM-maps and mobile networks β Lockdown SIM-map.
- π Register with eSIM (it is more difficult to clone).
- π Include notifications about changing the number in the operatorβs personal account.
2 Antivirus with Payment Protection
Standard Mi Security does not detect most banking Trojans.
| Antivirus | Features | Cost |
|---|---|---|
| Kaspersky Internet Security | Blocking phishing, protecting transactions, VPN | 1 200β½/year |
| Bitdefender Mobile Security | Scanning. APK, keylogger protection | 900β½/year |
| Dr.Web Security Space | Network activity control, anti-spam | 800β½/year |
3. Hardware security tokens
For maximum protection, use physical tokens:
- π YubiKey 5Ci: Supports NFC and USB-C, Compatible with Google Advanced Protection.
- π³ Sberbank Key: Contactless token for authorization in Sberbank Online.
They are connected through settings. β Google β Account management β Security β Two-step authentication.
π‘
If you travel frequently, activate the βGeo-blockβ option in the banking application β it will automatically block the card when you try to pay in an unusual region.
8 What to do if the money has already been written off?
If fraudsters managed to conduct a transaction, act on this algorithm:
Step 1: Lock the card and score
- π Call the bank immediately (see section 4 for numbers).
- π» Block the card in your personal account or mobile application.
- π Save screenshots of the transaction and SMS-notice.
Step 2: Legal Action
- π Submit a report to the police through the portal of the Ministry of Internal Affairs (specify article 159.3 of the Criminal Code of the Russian Federation).
- π If the debit was through Xiaomi Pay, request logs from Xiaomi support (specify the transaction number and IMEI device).
- ποΈ Contact the Central Bank of the Russian Federation with a complaint against the bank if it refused to return funds.
Step 3: Restoring the security of the device
- Perform reset to factory settings: Settings β About phone β Reset settings.
- Install all available updates MIUI/HyperOS.
- Change passwords from Mi Account, Google Account and banking services.
β οΈ Note: If the fraudster used Social Engineering (e.g., called on behalf of a bank), the chances of getting the money back are less than 15%.In this case, focus on blocking further transactions and gathering evidence for the court.