Xiaomi MediaTek TEE Vulnerability: Mobile Payment Security Risks and Defense Strategies for 2026

CheckPoint’s analysis reveals critical security vulnerabilities in Xiaomi devices using MediaTek processors. These flaws allow attackers to bypass protections, potentially falsifying or disabling the pay system, even from unprivileged Android apps.

Ozan Ucar, Founder and CEO of Keepnet

Last Updated: 2026-06-01

Xiaomi MediaTek Security Flaw Allows Vulnerability Exploits in Pay Systems

Security researchers Finds Security Flaws in Xiaomi Devices’ Pay System on MediaTek Processors

In a recent analysis, Security researchers uncovered serious security vulnerabilities in Xiaomi smartphones that run on MediaTek processors. The vulnerabilities are specifically associated with the pay system integrated into these devices, allowing attackers to bypass security protocols, potentially altering pay packets or even disabling the system without privileged access. These findings raise critical security concerns for Xiaomi users who rely on mobile payments, as attackers could exploit the Trusted Execution Environment (TEE) to bypass core protections. Learn more: What Is Phishing How To Protect Yourself From It.

What is TEE, and Why is It Critical?

The Trusted Execution Environment (TEE) is a secure, isolated section of a device designed to process and protect sensitive data such as cryptographic keys and biometric data (e.g., fingerprints). TEE’s security is based on hardware extensions, such as ARM TrustZone, that separate it from the regular operating system to ensure that the data within it remains safe even if the device is compromised. Common TEE implementations include Qualcomm Secure Execution Environment (QSEE) and Trustonic Kinibi.

For Xiaomi devices:

Those using Qualcomm processors are equipped with QSEE for TEE.
Devices using MediaTek processors rely on Trustonic Kinibi.

In this case, Security researchers’s findings apply to Xiaomi devices with MediaTek processors, highlighting risks in the TEE’s isolation and functionality.

Security researchers’s Key Findings: Security Flaws in Xiaomi’s Pay System

The researchers’ analysis focused on Xiaomi’s pay system as implemented on the Xiaomi Redmi Note 9T 5G running MIUI Global 12.5.6.0. The main issues they identified are as follows:

Vulnerabilities in Trusted Applications: Trusted applications within the TEE are meant to have high security standards, but researchers discovered that Xiaomi’s TEE application allowed for multiple application signatures that could be easily modified due to overlapping “magic fields.” This overlap also impacts other Xiaomi models, including Xiaomi T11 and Xiaomi Note 8 Pro.
Exploitable Update Mechanism: One critical flaw is that attackers can bypass security fixes released by Xiaomi or MediaTek. By exploiting version control vulnerabilities, an attacker could potentially install older, unpatched versions of trusted applications, thus undoing security updates and exposing the pay system to attacks.
Remote Exploitation Potential: The flaw allows attackers to remotely alter or disable the pay system even through non privileged Android applications. Essentially, this means that regular applications without elevated permissions could gain access to sensitive processes typically secured within the TEE.

Why Are TEE Vulnerabilities Especially Dangerous?

Given its responsibility for secure processing and storage of sensitive information, any breach of the TEE is concerning. In Xiaomi’s case, the vulnerabilities discovered in the TEE could allow attackers to:

Falsify Pay Packets: Attackers could manipulate pay packets, allowing for fraudulent transactions.
Disable the Pay System: By compromising the TEE, attackers could render Xiaomi’s pay system inoperative, affecting users’ ability to make secure payments.
Access Cryptographic Keys: If exploited, this flaw could expose cryptographic keys stored within the TEE, leading to broader security risks.

This risk extends to rooted and malware infected devices since hardware level protections like ARM TrustZone are designed to shield the TEE even in compromised environments. However, the ability to downgrade trusted applications introduces a vulnerability vector that hardware based security alone cannot prevent.

How Attackers Bypass Security Fixes in Trusted Applications

One of the more alarming aspects of Security researchers’s discovery is the potential for security patch circumvention in Xiaomi’s TEE. When Xiaomi or MediaTek releases a security update, it typically patches vulnerabilities in the trusted application. However, by downloading and installing an older, unpatched version of the app, attackers can bypass these updates and exploit known vulnerabilities that were previously resolved.

This vulnerability opens doors for attackers to use old exploits even after Xiaomi has provided patches, undermining user confidence and leaving device security vulnerable despite efforts to secure it.

What Does This Mean for Xiaomi Users?

For users of Xiaomi devices running MediaTek processors, this discovery underscores a significant security risk in their smartphone’s payment capabilities. Xiaomi and MediaTek are likely already aware of these issues, but full mitigation may require comprehensive updates that address the root causes of application signature and version control vulnerabilities. For users, it’s essential to stay aware of updates from Xiaomi and MediaTek and to install security patches as soon as they’re available.

In addition to Xiaomi, other device manufacturers may need to examine similar issues, as the flaws in TEE implementation could reflect a broader trend in mobile security.

Recommendations for Enhanced Security

While waiting for Xiaomi to address these vulnerabilities, here are a few actions that IT and security teams can consider to safeguard devices and users in their organizations:

Regular Security Patch Updates: Ensure that all device updates are applied as soon as they’re released, especially those related to TEE or payment security.
Educate Users: Security awareness training is crucial to help users recognize potential threats. Security Awareness Training can empower users to spot unusual behaviors and follow best practices.
Restrict Sensitive Apps to Secure Devices: Encourage users to avoid installing sensitive applications, like payment apps, on rooted or unverified devices to reduce potential attack vectors.
Implement Phishing and Quishing Simulators: To protect employees against phishing or QR based attacks that could lead to TEE exploitation, consider using phishing simulators and quishing simulators to enhance security awareness.

As mobile security threats continue to evolve, TEE vulnerabilities remind us of the complexity of safeguarding sensitive information. With stronger protection protocols and regular security patches, users can better protect themselves against vulnerabilities. For organizations, proactive defense measures like human risk management are invaluable.

Editor's Note: This article was updated on June 1, 2026.

Schedule your 30-minute demo now

You'll learn how to:

Protect sensitive information in employee mobile devices through advanced simulations and testing.

Implement targeted phishing and quishing training to guard against sophisticated attacks.

Analyze user behavior patterns to identify high-risk areas and tailor security initiatives effectively.

Frequently Asked Questions

What vulnerability was found in Xiaomi devices with MediaTek chips?

Security researchers discovered vulnerabilities in the Trusted Execution Environment (TEE) implementation on Xiaomi devices using MediaTek processors. Specifically, the researchers found flaws in trusted applications running within the TEE that could allow an attacker to forge payment packets, manipulate transaction data, and potentially execute arbitrary code within the secure environment. The vulnerability was found in Xiaomi's pay system as implemented on the Redmi Note 9T and similar devices.

What is a Trusted Execution Environment (TEE) and why does it matter for mobile payments?

A TEE is a secure, isolated area within a device's processor that is separated from the main operating system. It is designed to run sensitive code and handle sensitive data, such as cryptographic keys, biometric data, and payment credentials, in a protected environment that the main OS and applications cannot access. Mobile payment systems rely on the TEE to ensure that payment transactions cannot be intercepted or manipulated by malware running on the main OS. When the TEE itself is compromised, the security guarantees of mobile payments collapse.

What is the difference between QSEE and Kinibi TEE implementations?

QSEE (Qualcomm Secure Execution Environment) is Qualcomm's proprietary TEE implementation used on devices with Snapdragon processors. Kinibi is the TEE implementation used on devices with MediaTek processors, developed by Trustonic. The vulnerability described in this article specifically affects the Kinibi implementation on MediaTek powered Xiaomi devices. Devices with Qualcomm processors use QSEE and are not affected by this particular vulnerability.

How could attackers exploit this Xiaomi vulnerability?

Exploitation of this vulnerability could allow attackers to: falsify payment packets to make fraudulent transactions appear legitimate; disable the signature verification that prevents tampering with payment data; execute old, already patched vulnerable versions of trusted applications by downgrading them; and on rooted devices, escalate privileges to access the TEE directly. The most concerning aspect is the ability to deploy older vulnerable versions of trusted applications, potentially bypassing security patches already issued by Xiaomi.

Are users of Xiaomi devices with MediaTek chips at immediate risk?

The risk depends on whether the device is running the latest software updates and whether it has been rooted. On unrooted devices running fully patched software, exploitation is significantly more difficult and typically requires prior access to the device. On rooted devices, the attack surface is much larger. Users should apply all available Xiaomi and MediaTek security patches promptly, avoid rooting devices used for mobile payments, and review the apps installed on their devices for suspicious activity.

Why is it possible to bypass security fixes by downgrading trusted applications?

Trusted application downgrade attacks exploit the fact that many TEE implementations do not enforce a minimum version requirement for trusted applications, or the enforcement mechanism itself has flaws. An attacker who can load an older version of a trusted application into the TEE can reintroduce vulnerabilities that were fixed in newer versions. This is particularly concerning because it means that a device can be fully patched at the OS level but still be vulnerable to attacks targeting older trusted application versions within the TEE.

What should IT administrators do to protect organizational devices from TEE vulnerabilities?

IT administrators should ensure that all mobile devices used for work, including personal devices with access to corporate resources, are running the latest firmware and security patches. Devices used for financial transactions or handling sensitive data should have mobile device management (MDM) policies enforced that prevent rooting, require minimum OS and firmware versions, and monitor for unusual application behavior. High risk applications such as mobile payment apps should be restricted to devices that meet strict security compliance requirements.

How do mobile security vulnerabilities affect organizational security?

Mobile security vulnerabilities affect organizational security because employees use mobile devices to access corporate email, applications, and data. A vulnerability in a mobile device's payment system or TEE can potentially be leveraged to access other sensitive data on the device, intercept corporate communications, or serve as a pivot point to access corporate networks. Organizations with BYOD policies are particularly exposed because they cannot guarantee that personal devices meet security standards.

What is responsible disclosure and how was it followed in this case?

Responsible disclosure is the practice of notifying a vendor about a security vulnerability privately before publishing details publicly, giving the vendor time to develop and release a fix. In this case, the researchers followed responsible disclosure by reporting the vulnerabilities to Xiaomi and MediaTek before publishing their findings. Xiaomi and MediaTek subsequently released security patches addressing the identified vulnerabilities. This process allows affected users to receive a fix before attackers can develop working exploits based on publicly available details.

How can employees be trained to reduce mobile security risks?

Employee training on mobile security should cover: applying device updates promptly and understanding why they matter; avoiding installing apps from unofficial sources; recognizing signs of device compromise such as unusual battery drain or unexpected data usage; not using personal devices for sensitive financial transactions unless they meet security requirements; and knowing how to report a suspected device compromise. Keepnet's Security Awareness Training includes mobile security modules that can be delivered directly to employees' mobile devices.