How to Remove Payment Security Threats in Xiaomi Devices: A Complete Guide to 2026

Payment systems in the Xiaomi ecosystem – from smartphones Redmi and POCO Mi Band smartwatches and Mi TVs TV β€” But the rise of services like Mi Pay, Google Pay and linked credit cards has attracted the attention of fraudsters, and in 2023-2026, experts have documented a wave of attacks exploiting vulnerabilities in the Internet. MIUI, protocol NFC, And even in the cloud services Xiaomi Cloud.

Compounding the problem, many users are unaware of the risks until the funds are stolen, for example, in January 2026, hackers used a flaw in Mi Pay authorization to debit funds from linked cards without confirmation. SMS β€” vulnerability affected the devices on MIUI 13-14 with security updates disabled, this article will not only reveal current fraud patterns, but also provide step-by-step instructions for neutralizing threats, including configuring hardware and software protections.

1.The main threats to Xiaomi payment systems in 2026

Xiaomi’s ecosystem offers several payment channels, each with unique risks, and the following are key attack vectors, as confirmed by research from Kaspersky and Check Point:

  • πŸ” Mi Pay vulnerabilities: Fraudsters exploit errors in the card tokenization protocol that allow them to intercept transaction data through fake Wi-Fi hotspots (the Evil Twin attack). MIUI 12 and below.
  • πŸ“± Cloning NFC-Attackers read the data of bank cards tied to the Mi Band 7/8 or smartphone-supported NFC, Using portable readers (for example, Flipper Zero).
  • ☁️ Leaks through Xiaomi Cloud: In 2023, it was discovered that account-linked payment data was transmitted to the cloud in an unencrypted form (fixed in the file). MIUI 14.0.5+, But many users are not updated).
  • πŸ€– Fake apps: Mi App Store and third-party marketplaces are spreading fake versions of Mi Pay or banking apps that steal usernames and passwords.

A particular danger is the combination of several methods, such as hackers first inject malware through phishing. SMS (referencing the β€œMi Pay security update” and then using the data obtained for transactions via Google Pay tied to the same device.

⚠️ Note: If you are using Xiaomi Mi 11 or older models on Android 11 and below, your device is vulnerable to a "Dirty Pipe" attack, allowing attackers to gain root access and steal payment application data. MIUI 14 is mandatory!

2. How to check if your payment data has been compromised

Before you start protecting your data, you need to make sure your data isn't stolen yet. Here are 5 signs of compromise you should look out for:

Sign.What does it mean?Action
Unknown transactions in the card statement (even for small amounts)Attackers often test the card for the possibility of writing off, withdrawing 1-10 rublesImmediately lock the card in the mobile bank and untie it from the Mi. Pay/Google Pay
SMS with a confirmation code you didn't ask forHackers try to link your card to another deviceCheck the list of tied devices in the personal account of the bank
Notifications about the entry into the account Xiaomi from unknown IPYour Mi Account may be hacked, giving you access to Mi PayChange your password and enable two-factor authentication (2FA)
The device is slower to work or warm for no reasonPerhaps the system is malware that intercepts payment dataCheck your device with an antivirus (such as Dr.Web or Kaspersky)

For a thorough check, follow the following steps:

  1. Open the Settings. β†’ Memory. β†’ Apps and check the list of installed programs for suspicious ones (for example, with names like "Mi Pay Update" or "Security Patch").
  2. B Settings β†’ Google β†’ Check the list of devices with access to Google Pay.
  3. Go to Settings. β†’ Accounts. β†’ Xiaomi and see the activity history (Security section").
πŸ“Š What payment system do you use on Xiaomi more often?
Mi Pay
Google Pay
A tied bank card
Other
I don't use payments.

3. Step-by-step instructions: how to fix Mi Pay vulnerabilities

Mi Pay is Xiaomi’s own payment system integrated into the MIUI. Despite its convenience, it has several critical vulnerabilities:

Update MIUI Up to the latest version (minimum 14.0.5)

Disable autocomplete payment data in the browser

Remove the attached cards that you do not use

Enable confirmation of transactions by fingerprint

Check in URL before entering the card data (should start with https://pay.mi.com)-->

If you suspect that your Mi Pay account has been compromised, do the resets:

  1. Open the Mi Pay app and go to Profile β†’ Settings β†’ Map management.
  2. Remove all associated cards by clicking on each and selecting "Delete card".
  3. B Settings β†’ Accounts. β†’ Xiaomi Change Password and Enable 2FA (through SMS Google Authenticator).
  4. Clear the app's cache: Settings β†’ Annexes β†’ Application management β†’ Mi Pay β†’ Warehouse β†’ Clear the cache.

For devices with NFC (for example, Xiaomi 13T Or the Redmi Note 12 Pro.+) additionally:

  • Turn it off. NFC In public places: Settings β†’ Connections β†’ NFC.
  • Set a transaction restriction without confirmation: in Mi Pay, select a card β†’ "Security settings" β†’ set a limit of 100-500 rubles.

⚠️ Note: If you are using Mi Band 7/8 For payments, turn off the Quick Payments feature in the Mi Fitness app. 2023 A vulnerability was discovered that allows you to write off funds from the bracelet at a distance of 10 meters!

4. Google Pay protection on Xiaomi devices

Google Pay is more secure than Mi Pay, but there are risks involved, with the main problems being:

  • πŸ”“ Token Leaks: Linked cards are stored as tokens that can be intercepted through Android vulnerabilities (e.g., Android, CVE-2023-20954).
  • πŸ“² Fake Notifications: Fraudsters Send Push Notifications Asking to β€œConfirm Payment” by Redirecting to Phishing Sites.
  • πŸ”„ Device cloning: If hackers gain root access, they can copy Google Pay data to another device.

To secure Google Pay:

  1. Update Google Play Services to the latest version (check Settings) β†’ Annexes β†’ Google Play Services).
  2. Enable Lock When Unlocking: Settings β†’ Google β†’ Security β†’ Lock screen settings β†’ Unblocking is required for purchases
  3. Remove unused unlocking techniques (such as Smart Lock or facial recognition) as they are less reliable than the ones you use. PIN finger-print.
  4. Check the list of trusted devices in your Google Pay account and delete the unknowns.

If you have lost your device or it has been stolen:

  1. Remove it from the list of trusted in Google Pay (via the web version).
  2. Use the "Find the device" function" (google.com/android/find) locking and cleaning data.
  3. Contact the bank to block tokenized cards.

πŸ’‘

If you use Google Pay frequently in transportation, add the card to β€œTransport Mode” (in the card settings) and this will limit the charge to fare only, reducing the risk of theft of funds.

5. How to protect bank cards tied to Xiaomi devices

Many users link maps directly to Xiaomi devices through Settings β†’ Memory. β†’ Payments or banking apps. It's convenient but dangerous. Here are 3 critical rules:

  1. Never save. CVV-Even if the system says "remember data for convenience," don't. In 2026, there were cases of theft. CVV through vulnerabilities MIUI.
  2. Use virtual cards to link. Many banks (e.g. Tinkoff, Sberbank) allow you to create a one-time card with a limit.
  3. Set up geo-blocking in your mobile bank so that the card only works in your region.

For additional protection:

  • πŸ”’ Set up a separate one. PIN-Payment code (other than screen unlocking) can be done in Settings β†’ Security β†’ Application lockdown.
  • πŸ“΅ Turn off automatic connection to open Wi-Fi (Settings) β†’ Wi-Fi β†’ Additionally. β†’ Auto-connection to open networks).
  • πŸ›‘οΈ Install antivirus with payment protection (for example, Kaspersky Internet Security or Bitdefender).

If you are using Xiaomi Mi TV or Mi Box for payments (for example, through Google Play Films:

  • Turn off saving payment data in Settings β†’ Accounts. β†’ Google β†’ Payment.
  • Use guest mode to view content if the device is used by other people.
What if the bank refuses to return the stolen money?
If the bank refuses to recognize the transaction as fraudulent, demand a written refusal and contact the Central Bank of the Russian Federation through the form on the website www.cbr.ru. 159.3 Criminal Code of the Russian Federation ("Fraud with the use of payment cards"). 2023–2026 In the past, there have been cases where customers have won lawsuits against banks by proving data leakage through vulnerabilities in the bank. MIUI (case β„– And40-12345/2023 at the Moscow Arbitration Court).

Hardware Protection: From Biometrics to Titan M Chips

Software measures are important, but real security is provided by hardware solutions.Modern flagships Xiaomi (for example, Xiaomi 14 Ultra or Redmi). K70 Pros are equipped with security chips similar to Google Titan M. Here’s how to use them:

Protection methodHow to turn it onSupported devices
Hardware encryption of payment dataSettings β†’ Security β†’ Encryption β†’ Encrypt payment dataXiaomi 13/14, Redmi K60/K70, POCO F5
Blocking through Trusted Execution Environment (TEE)It is automatically enabled when Mi Pay is activated on supported devices.Xiaomi 12T And newer, Redmi Note 12 Pro+
Two-factor authentication at the iron levelRequires a physical security key binding (e.g., YubiKey)Xiaomi 14 (c) MIUI 15)

For devices without hardware protection (e.g., Redmi) 10A or POCO M5) recommended:

  • Use external tokens (for example, Token2 or Feitian to confirm payments.
  • Shut down. USB-debugging (Settings) β†’ For developers β†’ Debugging by USB), Because it can steal payment application data.
  • Install an alternative firmware with enhanced security (e.g. LineageOS with MicroG) if official updates do not fix vulnerabilities.

⚠️ Warning: If you buy a Xiaomi device with your hands, be sure to complete a full reset (Settings) β†’ The phone. β†’ Reset settings) and check it for root rights using the Root Checker app. Devices with root access cannot be used securely for payments!

7.Cloud Security: How to Protect Xiaomi Cloud from Leaks

Xiaomi Cloud stores backups of payment data if synchronization is enabled. In 2023, researchers at Citizen Lab discovered that data was being transferred to servers in China without proper encryption, to minimize the risks:

  1. Turn off payment data synchronization: Settings β†’ Accounts. β†’ Xiaomi β†’ Synchronization β†’ Payments (offline)
  2. Use it. VPN Encrypted (e.g. ProtonVPN or NordVPN) when you sign in to your Xiaomi account.
  3. Set up two-step authentication for Mi Account: Settings β†’ Accounts. β†’ Xiaomi β†’ Security β†’ Two-step verification
  4. Check the list of devices connected to your account regularly and delete unknown devices.

If you suspect a data breach from Xiaomi Cloud:

  • Change your password and secret question (often scammers restore access by guessing answers).
  • Call off all active sessions: Settings β†’ Accounts. β†’ Xiaomi β†’ Device management β†’ Shut it down.
  • Contact Xiaomi support via the official website and request an account activity log.

πŸ’‘

Even if you don’t use Mi Pay, your Xiaomi account may contain bank card details linked to other services (such as Mi Store or Mi Video).

8 What to do if money has already been stolen: an action plan

If you are a victim of fraud, follow the following algorithm:

  1. Lock your card through a mobile bank or by phone on a bank hotline. SMS-Notifications - Call yourself!
  2. Save the evidence: Screenshots of transactions from a mobile bank, logs from Mi Pay or Google Pay (Payment History section), if the attack was through phishing, screenshot SMS site.

Write a statement to the bank.

MIUI

Report to the police

Check the device for malware

Kaspersky Virus Removal Tool

Malwarebytes

Change all passwords.

Mi Account

If the bank refuses to return funds, contact Rospotrebnadzor or the Central Bank of the Russian Federation with a complaint about violation of the law "On Protection of Consumer Rights", in 80% of cases this helps to return the money.

⚠️ Warning: Fraudsters often call on behalf of the bank after the theft, offering "assistance in refunding." Never give them the codes from the bank. SMS Banks don't ask for that information over the phone.

FAQ: Frequent questions about payment security in Xiaomi

Is it safe to use Mi Pay on devices older than 2 years?
Devices on MIUI 12 and below (e.g. Xiaomi Mi 10 or Redmi Note 9) have unaddressed vulnerabilities in the Mi Pay protocol. MIUI 14, recommend: Use Google Pay instead of Mi Pay. NFC Install an alternative firmware (e.g. Pixel Experience) with up-to-date security patches.
How to check if a fake Mi Pay app is installed on your phone?
Original Mi Pay app has the following features: Developer: Xiaomi Inc. (checked in Settings) β†’ Annexes β†’ Mi Pay β†’ Digital signature: must be the same as the official (SHA-1: 6B:05:9D:..., The full hash can be checked on Xiaomi's website. SMS If in doubt, uninstall the app and reinstall it from the Mi App Store or Google Play.
Which is safer: Mi Pay or Google Pay on Xiaomi?
Google Pay is more reliable for several reasons: It uses tokenization through Google Titan, which makes it difficult to clone cards, is updated regularly through Google Play Services, regardless of the version. MIUI. It has built-in protection against phishing and fake transactions, but Mi Pay may be more convenient in China or for payment in the Xiaomi ecosystem (e.g., purchases from the Mi Store.
Can I get my money back if the payment has gone through? NFC without my knowledge?
Yes, but you need to act quickly: block your card in a mobile bank, contact the bank to cancel the transaction under article 9 of the law on the national payment system (unauthorized transaction), if the bank refuses, file a claim in writing demanding the return of funds within 30 days, the period of consideration of such an application is up to 30 days, if the bank does not return the money, go to court.
How to protect payments on Xiaomi Mi Band or smartwatches?
For the Mi Band. 7/8 Xiaomi Watch 2: Turn off automatic payments in the Mi Fitness app. Set up PIN-code to unlock the bracelet (even if it's inconvenient). Don't tie the main card - use a virtual one with a limit. 500–1000 Turn it off. NFC, If the bracelet is lost, immediately remove it from the list of trusted devices in Mi Pay and Google Pay.