Payment systems in the Xiaomi ecosystem β from smartphones Redmi and POCO Mi Band smartwatches and Mi TVs TV β But the rise of services like Mi Pay, Google Pay and linked credit cards has attracted the attention of fraudsters, and in 2023-2026, experts have documented a wave of attacks exploiting vulnerabilities in the Internet. MIUI, protocol NFC, And even in the cloud services Xiaomi Cloud.
Compounding the problem, many users are unaware of the risks until the funds are stolen, for example, in January 2026, hackers used a flaw in Mi Pay authorization to debit funds from linked cards without confirmation. SMS β vulnerability affected the devices on MIUI 13-14 with security updates disabled, this article will not only reveal current fraud patterns, but also provide step-by-step instructions for neutralizing threats, including configuring hardware and software protections.
1.The main threats to Xiaomi payment systems in 2026
Xiaomiβs ecosystem offers several payment channels, each with unique risks, and the following are key attack vectors, as confirmed by research from Kaspersky and Check Point:
- π Mi Pay vulnerabilities: Fraudsters exploit errors in the card tokenization protocol that allow them to intercept transaction data through fake Wi-Fi hotspots (the Evil Twin attack). MIUI 12 and below.
- π± Cloning NFC-Attackers read the data of bank cards tied to the Mi Band 7/8 or smartphone-supported NFC, Using portable readers (for example, Flipper Zero).
- βοΈ Leaks through Xiaomi Cloud: In 2023, it was discovered that account-linked payment data was transmitted to the cloud in an unencrypted form (fixed in the file). MIUI 14.0.5+, But many users are not updated).
- π€ Fake apps: Mi App Store and third-party marketplaces are spreading fake versions of Mi Pay or banking apps that steal usernames and passwords.
A particular danger is the combination of several methods, such as hackers first inject malware through phishing. SMS (referencing the βMi Pay security updateβ and then using the data obtained for transactions via Google Pay tied to the same device.
β οΈ Note: If you are using Xiaomi Mi 11 or older models on Android 11 and below, your device is vulnerable to a "Dirty Pipe" attack, allowing attackers to gain root access and steal payment application data. MIUI 14 is mandatory!
2. How to check if your payment data has been compromised
Before you start protecting your data, you need to make sure your data isn't stolen yet. Here are 5 signs of compromise you should look out for:
| Sign. | What does it mean? | Action |
|---|---|---|
| Unknown transactions in the card statement (even for small amounts) | Attackers often test the card for the possibility of writing off, withdrawing 1-10 rubles | Immediately lock the card in the mobile bank and untie it from the Mi. Pay/Google Pay |
| SMS with a confirmation code you didn't ask for | Hackers try to link your card to another device | Check the list of tied devices in the personal account of the bank |
| Notifications about the entry into the account Xiaomi from unknown IP | Your Mi Account may be hacked, giving you access to Mi Pay | Change your password and enable two-factor authentication (2FA) |
| The device is slower to work or warm for no reason | Perhaps the system is malware that intercepts payment data | Check your device with an antivirus (such as Dr.Web or Kaspersky) |
For a thorough check, follow the following steps:
- Open the Settings. β Memory. β Apps and check the list of installed programs for suspicious ones (for example, with names like "Mi Pay Update" or "Security Patch").
- B Settings β Google β Check the list of devices with access to Google Pay.
- Go to Settings. β Accounts. β Xiaomi and see the activity history (Security section").
3. Step-by-step instructions: how to fix Mi Pay vulnerabilities
Mi Pay is Xiaomiβs own payment system integrated into the MIUI. Despite its convenience, it has several critical vulnerabilities:
Update MIUI Up to the latest version (minimum 14.0.5)
Disable autocomplete payment data in the browser
Remove the attached cards that you do not use
Enable confirmation of transactions by fingerprint
Check in URL before entering the card data (should start with https://pay.mi.com)-->
If you suspect that your Mi Pay account has been compromised, do the resets:
- Open the Mi Pay app and go to Profile β Settings β Map management.
- Remove all associated cards by clicking on each and selecting "Delete card".
- B Settings β Accounts. β Xiaomi Change Password and Enable 2FA (through SMS Google Authenticator).
- Clear the app's cache: Settings β Annexes β Application management β Mi Pay β Warehouse β Clear the cache.
For devices with NFC (for example, Xiaomi 13T Or the Redmi Note 12 Pro.+) additionally:
- Turn it off. NFC In public places: Settings β Connections β NFC.
- Set a transaction restriction without confirmation: in Mi Pay, select a card β "Security settings" β set a limit of 100-500 rubles.
β οΈ Note: If you are using Mi Band 7/8 For payments, turn off the Quick Payments feature in the Mi Fitness app. 2023 A vulnerability was discovered that allows you to write off funds from the bracelet at a distance of 10 meters!
4. Google Pay protection on Xiaomi devices
Google Pay is more secure than Mi Pay, but there are risks involved, with the main problems being:
- π Token Leaks: Linked cards are stored as tokens that can be intercepted through Android vulnerabilities (e.g., Android, CVE-2023-20954).
- π² Fake Notifications: Fraudsters Send Push Notifications Asking to βConfirm Paymentβ by Redirecting to Phishing Sites.
- π Device cloning: If hackers gain root access, they can copy Google Pay data to another device.
To secure Google Pay:
- Update Google Play Services to the latest version (check Settings) β Annexes β Google Play Services).
- Enable Lock When Unlocking: Settings β Google β Security β Lock screen settings β Unblocking is required for purchases
- Remove unused unlocking techniques (such as Smart Lock or facial recognition) as they are less reliable than the ones you use. PIN finger-print.
- Check the list of trusted devices in your Google Pay account and delete the unknowns.
If you have lost your device or it has been stolen:
- Remove it from the list of trusted in Google Pay (via the web version).
- Use the "Find the device" function" (google.com/android/find) locking and cleaning data.
- Contact the bank to block tokenized cards.
π‘
If you use Google Pay frequently in transportation, add the card to βTransport Modeβ (in the card settings) and this will limit the charge to fare only, reducing the risk of theft of funds.
5. How to protect bank cards tied to Xiaomi devices
Many users link maps directly to Xiaomi devices through Settings β Memory. β Payments or banking apps. It's convenient but dangerous. Here are 3 critical rules:
- Never save. CVV-Even if the system says "remember data for convenience," don't. In 2026, there were cases of theft. CVV through vulnerabilities MIUI.
- Use virtual cards to link. Many banks (e.g. Tinkoff, Sberbank) allow you to create a one-time card with a limit.
- Set up geo-blocking in your mobile bank so that the card only works in your region.
For additional protection:
- π Set up a separate one. PIN-Payment code (other than screen unlocking) can be done in Settings β Security β Application lockdown.
- π΅ Turn off automatic connection to open Wi-Fi (Settings) β Wi-Fi β Additionally. β Auto-connection to open networks).
- π‘οΈ Install antivirus with payment protection (for example, Kaspersky Internet Security or Bitdefender).
If you are using Xiaomi Mi TV or Mi Box for payments (for example, through Google Play Films:
- Turn off saving payment data in Settings β Accounts. β Google β Payment.
- Use guest mode to view content if the device is used by other people.
What if the bank refuses to return the stolen money?
Hardware Protection: From Biometrics to Titan M Chips
Software measures are important, but real security is provided by hardware solutions.Modern flagships Xiaomi (for example, Xiaomi 14 Ultra or Redmi). K70 Pros are equipped with security chips similar to Google Titan M. Hereβs how to use them:
| Protection method | How to turn it on | Supported devices |
|---|---|---|
| Hardware encryption of payment data | Settings β Security β Encryption β Encrypt payment data | Xiaomi 13/14, Redmi K60/K70, POCO F5 |
| Blocking through Trusted Execution Environment (TEE) | It is automatically enabled when Mi Pay is activated on supported devices. | Xiaomi 12T And newer, Redmi Note 12 Pro+ |
| Two-factor authentication at the iron level | Requires a physical security key binding (e.g., YubiKey) | Xiaomi 14 (c) MIUI 15) |
For devices without hardware protection (e.g., Redmi) 10A or POCO M5) recommended:
- Use external tokens (for example, Token2 or Feitian to confirm payments.
- Shut down. USB-debugging (Settings) β For developers β Debugging by USB), Because it can steal payment application data.
- Install an alternative firmware with enhanced security (e.g. LineageOS with MicroG) if official updates do not fix vulnerabilities.
β οΈ Warning: If you buy a Xiaomi device with your hands, be sure to complete a full reset (Settings) β The phone. β Reset settings) and check it for root rights using the Root Checker app. Devices with root access cannot be used securely for payments!
7.Cloud Security: How to Protect Xiaomi Cloud from Leaks
Xiaomi Cloud stores backups of payment data if synchronization is enabled. In 2023, researchers at Citizen Lab discovered that data was being transferred to servers in China without proper encryption, to minimize the risks:
- Turn off payment data synchronization: Settings β Accounts. β Xiaomi β Synchronization β Payments (offline)
- Use it. VPN Encrypted (e.g. ProtonVPN or NordVPN) when you sign in to your Xiaomi account.
- Set up two-step authentication for Mi Account: Settings β Accounts. β Xiaomi β Security β Two-step verification
- Check the list of devices connected to your account regularly and delete unknown devices.
If you suspect a data breach from Xiaomi Cloud:
- Change your password and secret question (often scammers restore access by guessing answers).
- Call off all active sessions: Settings β Accounts. β Xiaomi β Device management β Shut it down.
- Contact Xiaomi support via the official website and request an account activity log.
π‘
Even if you donβt use Mi Pay, your Xiaomi account may contain bank card details linked to other services (such as Mi Store or Mi Video).
8 What to do if money has already been stolen: an action plan
If you are a victim of fraud, follow the following algorithm:
- Lock your card through a mobile bank or by phone on a bank hotline. SMS-Notifications - Call yourself!
- Save the evidence: Screenshots of transactions from a mobile bank, logs from Mi Pay or Google Pay (Payment History section), if the attack was through phishing, screenshot SMS site.
Write a statement to the bank.
MIUI
Report to the police
Check the device for malware
Kaspersky Virus Removal Tool
Malwarebytes
Change all passwords.
Mi Account
If the bank refuses to return funds, contact Rospotrebnadzor or the Central Bank of the Russian Federation with a complaint about violation of the law "On Protection of Consumer Rights", in 80% of cases this helps to return the money.
β οΈ Warning: Fraudsters often call on behalf of the bank after the theft, offering "assistance in refunding." Never give them the codes from the bank. SMS Banks don't ask for that information over the phone.