Xiaomi and UnionPay Built an NFC Shield Into the Redmi Note 17 — Here's How It Stops Mobile Bank Fraud

You get a call from someone claiming to be your bank. They sound convincing. They talk you through downloading an app. And before you know it, someone on the other side of the country is draining your account through NFC — not by tapping your card, but by tricking your phone into doing it for them.

That four-step scam — impersonation, download, inducement, NFC theft — has been one of the fastest-growing categories of mobile fraud in China. On Thursday, China UnionPay and Xiaomi announced a joint solution that tackles the problem at every stage, and it ships in the Redmi Note 17 series.

“People see headlines about ‘NFC remote theft’ and assume the NFC protocol itself is the vulnerability,” said Zhang Xiaolan, a manager at UnionPay’s risk control division. “That’s not what’s happening. The real problem is social engineering — fraudsters tricking users into installing malware that then abuses NFC permissions.”

The scams typically follow a predictable pattern. First comes identity impersonation: a fraudster poses as a customer service agent, police officer, or bank employee. Then comes the download: the victim is guided to install a malicious app from outside official app stores. That app, once installed, is used to induce the victim into authorizing NFC card-reading operations. Finally, the scammer remotely drains funds via the phone’s NFC chip.

Xiaomi’s system, built with UnionPay, hits all four links in the chain.

On the call and SMS front, Xiaomi’s phones now use an AI model to detect scam communications in real time — flagging high-risk phone numbers, suspicious links, and impersonation patterns before the user even engages. If the AI tags a call as high-probability fraud, the phone surfaces a warning directly on the lock screen.

The download phase is where the system gets aggressive. Xiaomi’s MIUI/HyperOS already runs extensive risk screening on sideloaded apps. Unverified applications from outside the official store trigger warnings, and in high-risk cases the system blocks installation outright. There’s also a “family guardian” mode that lets a relative remotely review and uninstall suspicious apps on a less tech-savvy user’s phone.

But the most novel layer sits at the NFC level itself. When a card-reading request arrives, the system checks whether the requesting app came from an authorized source verified by the app store. Legitimate apps — your bank, your transit card, your payment wallet — pass through normally. If a sideloaded or suspicious app tries to initiate an NFC card read, the system intercepts the instruction at the kernel level. No dialog, no “are you sure” prompt that a scammer could talk the victim through. The request is simply blocked.

Xiong Zuojin, a product specialist at Xiaomi’s security and privacy division, said the team traced the full lifecycle of NFC fraud before designing the defense. “This isn’t a fraud that starts when someone taps a card. It starts with a phone call,” Xiong said. “Our system breaks the chain before each link can connect to the next.”

The Redmi Note 17 series will be the first devices to carry the feature. Xiaomi hasn’t said whether the system will roll out to older models through software updates, but UnionPay’s involvement suggests the architecture isn’t tied to specific hardware.

For now, the advice from both companies is simple: don’t trust unsolicited calls, don’t install apps from outside official stores, and never hand over remote control of your screen. The software can block some attacks, but the first line of defense is still the person holding the phone.