Security researcher Gabi Cirlig has discovered that his Redmi Note 8 usage habits were being tracked and sent to servers hosted by Alibaba in Singapore and Russia that have been rented by Xiaomi. This included the folders he opened on his phone, the screens he swiped to including the status bar and the settings menu. As if that was not enough, Xiaomi was even tracking what music Cirlig was listening to using the default music player on his Redmi phone.
The security researcher also found that whenever he browsed the web using Xiaomi's default browser app, it kept a record of all the websites he visited, search engine queries, and the items viewed on the browser's newsfeed. More worryingly, the behavior continued even when using the incognito mode in the browser. The security researcher found the same tracking code in other Xiaomi phones as well including premium models like the Redmi K20, Mi 10, and Mi Mix 3.