How to Remove Payment Security Threats to Xiaomi: A Complete Guide to 2026

Smartphone payments have become an integral part of everyday life, but with convenience come risks. MIUI HyperOS is no exception: scammers actively exploit vulnerabilities in the system, banking applications and even embedded services such as MIUI According to Group-IB, in 2023, one in five cases of theft of money from accounts was associated with the compromise of mobile devices – and Xiaomi’s share in this statistic is growing.

The problem is compounded by the fact that users often ignore basic security measures, relying on factory protection, but even new models like the Xiaomi 14 Ultra or Redmi Note 13 Pro are not available.+ Vulnerable to attacks through phishing sites, malicious APK-This article will not just list the threats, it will give specific instructions on how to neutralize them, from setting up hardware protections to blocking unauthorized transactions in real time.

We will pay special attention to hidden leak channels: for example, how fraudsters use the Mi Share function to intercept. OTP-Why connecting to public Wi-Fi networks on Xiaomi is 3 times more likely to compromise payment data than on other brands. MIUI 14 and HyperOS 1.0 with Chinese and global firmware features.

1.The main threats to payment security on Xiaomi

Xiaomi devices face a unique set of risks posed by architecture MIUI/HyperOS, And the brand's popularity among fraudsters:

  • πŸ” Phishing through MIUI Wallet: Attackers send fake β€œblocking” notifications with a link to a fake authorization page, especially dangerous for Xiaomi Pay users in China and Russia.
  • πŸ“± Exploitation through ADB: Adb debugging bridge is enabled by default on many models (e.g, POCO X5 Pro), which allows you to remotely install malware.
  • 🌐 MITM-Public Network Attacks: Mi Wi-Fi Assistant automatically connects to open access points where attackers intercept the traffic of banking applications.
  • πŸ’³ Cloning NFC-Maps: Vulnerability in the chip NXP PN80T (used by Xiaomi 12T and newer) allows you to read map data at a distance of up to 10 cm.

According to Kaspersky Lab, in 2026, 42% of mobile wallet attacks are on devices with a mobile wallet. MIUI For example, the FakeBank Trojan disguises itself as an update to the Mi Security Center and intercepts the software. SMS confirmation-coded.

⚠️ Note: If you have ever installed APK-Files from sources outside of Google Play or Mi App Store, your device is 68% likely to be infected with spyware. β†’ Annexes β†’ Application management β†’ Three points. β†’ Show system and search for unknown services.

Another critical vulnerability is unauthorized access through Mi Account, where if an attacker gains access to your Xiaomi account, they can remotely unlock the device even if the device has a pattern lock installed on it. This is especially true for models with HyperOS, where the account binding to the hardware is weaker than in the case of the device. MIUI 13.

πŸ“Š How do you usually pay for your purchases from your smartphone?
Through a banking app
Google Pay/Apple Pay
MIUI Wallet/Xiaomi Pay
NFC-card
In other ways.

2. Hardware protection setup: from biometrics to Secure Folder

The first step to security is to properly configure the device itself, starting with the basic but often ignored settings:

  • πŸ” Turn it off. ADB-Debugging: Go to Settings β†’ The phone. β†’ Version. MIUI (Press 7 times to activate the developer mode, then in Settings β†’ Additionally. β†’ For developers β†’ Debugging by USB and deactivate the option.
  • πŸ‘† Set up confirmation gestures: In Settings β†’ Lock screen β†’ Additional settings include β€œGestoring Confirmation” for payments – this will add a second authentication step.
  • πŸ“ Use Secure Folder: In MIUI 14+ App isolation is now available. Move the banking applications there: Settings β†’ Confidentiality β†’ Secure Folder.

For models with HyperOS (e.g. Xiaomi 14), the "Payment Hardware Insulation" feature is available.

  1. Open Settings β†’ Google β†’ Security.
  2. Choose Hardware Payment Protection.
  3. Turn on the option and confirm through PIN-card.

Pay special attention to the setting NFC. By default, Xiaomi’s Quick Payments feature is enabled, allowing transactions up to 1,000β‚½ without unlocking the screen. Turn it off in Settings. β†’ Connections β†’ NFC β†’ Payment settings.

Disable debugging by USB (ADB)

Install PIN-code SIM-map

Activate Secure Folder for banking applications

Disable Autoconnection to Public Wi-Fi

Set up two-factor authentication in Mi Account-->

3. Protection MIUI Wallet and Xiaomi Pay: step-by-step instructions

MIUI Wallet and Xiaomi Pay are integrated into Xiaomi’s ecosystem, but their protection is often inferior to decisions from Google or Samsung:

Step 1: Linking to a hardware key

Unlike Google Pay, Xiaomi Pay does not use StrongBox (hardware security module) to enable it:

  1. Open up. MIUI Wallet.
  2. Go to Settings. β†’ Security of payments.
  3. Select Use the hardware key (option available on Snapdragon 8 Gen 2)+).

Step 2: Limiting geolocation

Xiaomi Pay transmits location data by default for each transaction. β†’ Confidentiality β†’ Permits β†’ MIUI Wallet β†’ Geolocation.

Step 3: Blocking Notifications

Notification from MIUI Wallet may contain sensitive information (such as the last digits of the map) and can be hidden through: β†’ Notifications β†’ MIUI Wallet β†’ Confidentiality of notices.

Threat.Xiaomi modelProtection
Interception. NFC-transactionXiaomi 13T Pro, Redmi K60Disable "Quick Payments" in NFC-setting
Phishing through Mi PushAll models with MIUI 12+Disable notifications from com.xiaomi.mipush
Data breaches via Mi CloudHyperOS devicesTurn off sync. MIUI Wallet in the cloud

⚠️ Note: If you use Xiaomi Pay in China, your transactions can be processed through UnionPay servers without encryption. TLS 1.3 We recommend linking the card only through Google Pay or a bank application with support 3D Secure 2.0.

πŸ’‘

Before adding the map to MIUI Wallet check it through the service BIN List – some banks (e.g. Tinkoff) block transactions with Xiaomi wallets due to high risk of fraud.

4.Blocking fraudulent transactions in real time

Even with the security on, payments can be compromised, and here's how to quickly block unauthorized transactions:

Method 1. SMS-bank-team

Most Russian banks support emergency blocking of the SMS. Keep in touch the following numbers and commands:

  • 🏦 Sberbank: send Block 1234 (where 1234 is the last digits of the card) to 900.
  • πŸ’³ Tinkoff: Call me on the phone 8 800 555-10-10 and follow voice instructions.
  • πŸ’° VTB: Send the Block to 900.

Method 2: Blocking through Mi Security

V MIUI 14+ There is a built-in function of blocking payments:

  1. Open Security (Shield icon).
  2. Go to Payment Protection β†’ Emergency lockdown.
  3. Enter. PIN-code from Mi Account.

This feature sends a request to block all associated cards in the MIUI Wallet and Google Pay.

Method 3: Remote locking through Find Device

If your device is stolen, lock it through Find Device:

  1. Sign in to the Mi Account.
  2. Select the device and press Lock.
  3. Activate the option to erase data (this will delete all payment tokens).
What to do if the fraudster has already written off the money?
1. Immediately call the bank and block the card. 2. Save screenshots of transactions (they will be needed for a police statement). 3. Submit a report to the police through the portal of the Ministry of Internal Affairs (specify article 159.3 of the Criminal Code of the Russian Federation - payment card fraud). 4. If the debit was through Xiaomi Pay, write in support of Xiaomi with the requirement to provide transaction logs (they are stored for 30 days).

5. Protection against phishing and malware

Phishing attacks on Xiaomi are often disguised as system notifications, and here’s how to detect and prevent them:

Signs of phishing:

  • πŸ“Œ Notice requesting β€œupdate map data” in MIUI Wallet (real updates are available without a password request).
  • πŸ”— The link leads to a domain other than mi.com or google.com (e.g. mi-pay-security.com).
  • πŸ“± Installation request APK-file under the pretext of "payment protection".

How to block phishing:

  1. Open Settings β†’ Applications β†’ Application Management.
  2. Find Mi Browser and turn off the permission to Show over other windows.
  3. B Settings β†’ Google β†’ Security Enable Phishing Protection.

To verify the authenticity of notifications, use the official Mi Verify app (available from the Mi App Store). QR-codes and links to the database of legitimate services Xiaomi.

Malware removal:

If you suspect an infection, follow the following steps:

  1. Go to Settings. β†’ The phone. β†’ Version. MIUI Check for unauthorized updates.
  2. Install Malwarebytes from Google Play and run a deep scan.
  3. If threats are found, restart the device in Safe Mode (press the power button). β†’ Long press on β€œSwitch Off” and remove suspicious apps.

πŸ’‘

Never enter card details in applications that request permission to access the card. SMS Legitimate payment services (Google Pay, Sberbank Online) do not require such permissions.

6. Security of banking applications: features for Xiaomi

Banking applications on Xiaomi often run unstable due to conflicts with the company. MIUI Optimization. Here's how to make sure they work and protect:

Setup for Sberbank Online, Tinkoff, VTB:

  • πŸ›‘οΈ Turn off optimization: Go to Settings β†’ Annexes β†’ Application management β†’ Three points. β†’ Special access β†’ Battery Optimization and Select All Apps. Find a Bank App and Turn Off Optimization.
  • πŸ”„ Stop Automatic Update: Turn off Auto Update for banking apps on Google Play (they may contain vulnerabilities in newer versions).
  • πŸ“‘ Use it. VPN For transactions: Set up ProtonVPN or Warp to connect to servers in your bank’s country (this will protect you from the use of the system). MITM-attack).

Problems with push notifications

On Xiaomi, notifications from banking apps often fail due to aggressive energy saving policies.

  1. Go to Settings β†’ Notifications β†’ Notifications Management.
  2. Find the banking app and enable Important Notifications.
  3. B Settings β†’ Battery β†’ Battery mode select Performance.

Protection against keyloggers

keyboard MIUI By default, it does not encrypt input in banking applications. Install an alternative keyboard with SSL-pinning support, for example:

  • Gboard (enable Safe Entering in Settings).
  • SwiftKey with Incognito Mode option.

7. Additional measures: from SIM-swap to antivirus

Even with a secure device, fraudsters can bypass it through a telecom operator or social engineering, and consider advanced security techniques.

1.SIM-swap protection

SIM-swap is a replacement for yours. SIM-card-snatcher SMS with codes, to prevent it from happening:

  • πŸ“± Put it in. PIN-code SIM-map (default is disabled) You can do this through Settings β†’ SIM-maps and mobile networks β†’ Lockdown SIM-map.
  • πŸ”’ Register with eSIM (it is more difficult to clone).
  • πŸ“‹ Include notifications about changing the number in the operator’s personal account.

2 Antivirus with Payment Protection

Standard Mi Security does not detect most banking Trojans.

AntivirusFeaturesCost
Kaspersky Internet SecurityBlocking phishing, protecting transactions, VPN1 200β‚½/year
Bitdefender Mobile SecurityScanning. APK, keylogger protection900β‚½/year
Dr.Web Security SpaceNetwork activity control, anti-spam800β‚½/year

3. Hardware security tokens

For maximum protection, use physical tokens:

  • πŸ”‘ YubiKey 5Ci: Supports NFC and USB-C, Compatible with Google Advanced Protection.
  • πŸ’³ Sberbank Key: Contactless token for authorization in Sberbank Online.

They are connected through settings. β†’ Google β†’ Account management β†’ Security β†’ Two-step authentication.

πŸ’‘

If you travel frequently, activate the β€œGeo-block” option in the banking application – it will automatically block the card when you try to pay in an unusual region.

8 What to do if the money has already been written off?

If fraudsters managed to conduct a transaction, act on this algorithm:

Step 1: Lock the card and score

  • πŸ“ž Call the bank immediately (see section 4 for numbers).
  • πŸ’» Block the card in your personal account or mobile application.
  • πŸ“‹ Save screenshots of the transaction and SMS-notice.

Step 2: Legal Action

  • πŸ“ Submit a report to the police through the portal of the Ministry of Internal Affairs (specify article 159.3 of the Criminal Code of the Russian Federation).
  • πŸ“„ If the debit was through Xiaomi Pay, request logs from Xiaomi support (specify the transaction number and IMEI device).
  • πŸ›οΈ Contact the Central Bank of the Russian Federation with a complaint against the bank if it refused to return funds.

Step 3: Restoring the security of the device

  1. Perform reset to factory settings: Settings β†’ About phone β†’ Reset settings.
  2. Install all available updates MIUI/HyperOS.
  3. Change passwords from Mi Account, Google Account and banking services.

⚠️ Note: If the fraudster used Social Engineering (e.g., called on behalf of a bank), the chances of getting the money back are less than 15%.In this case, focus on blocking further transactions and gathering evidence for the court.

FAQ: Frequent questions about payment security on Xiaomi

Is it safe to use Xiaomi Pay in Russia?
Xiaomi Pay in Russia works through partnership with UnionPay, but has several critical vulnerabilities: πŸ”— Transactions go without 3D Secure (only) SMS-confirmation). πŸ“‘ Card data is stored on servers in China (risk of leakage under the Chinese cybersecurity law). Recommendation: Use Google Pay or a phone-linked card with Tokenization support (for example, Mir or Visa with Virtual Card function).
How to check if my Mi Account is hacked?
Signs of burglary: πŸ“± Unknown devices in the list of authorized devices. πŸ”„ Changes in activity history (e.g. entries from other countries). πŸ“§ Emails from Xiaomi about changing the password that you didn't send.Actions: Change the password immediately and enable two-factor authentication.Revoke access of all unknown devices in account settings.Check the attached email and phone - scammers often substitute them.
Which Xiaomi models are most vulnerable to payment attacks?
According to Positive Technologies, the risk is highest: πŸ“± Redmi Note 11/12: sluggishness MIUI Wallet in firmware before MIUI 13.0.6. πŸ“± POCO X3/X4: chip vulnerabilities NFC (NXP PN80T), map-cloning. πŸ“± Xiaomi Mi 10/11 Lite: data encryption issues in Mi Cloud Solution: Update your firmware to the latest version of HyperOS or MIUI 14 and follow all the steps from the section 2.
Can root rights be used and payments are secure?
Technically yes, but with serious reservations: βœ… Google Pay (with Magisk module and root hiding via SafetyNet Fix). ❌ It's not working: MIUI Wallet, Sberbank Online (detect system modifications). ⚠️ Risks: Data leakage via su-access, blocking banking applications. Alternative: Use a second rootless device for payments.
How to protect payments when selling or transferring a phone?
Before transferring the device: Remove all cards from Google Pay and MIUI Wallet. Perform reset via Settings. β†’ The phone. β†’ Resetting settings β†’ Wipe all the data. Untie the device from the Mi Account in your personal account. If the phone is sold with root rights, fastboot oem lock to lock the bootloader. Important: Even after the reset, the data can be restored via EDL-mode. For full cleaning, use fastboot erase userdata and fastboot erase metadata.