This is indeed puzzling and concerning... if all that OP has said is true regarding their OpSec (only installed from Play Store, seed on paper in safe etc) then theoretically their funds should be "safe" from such events. 
installed on Xiaomi mi9t pro.
Could this be a possible vector? The fact that it is a Xiaomi device? They run a custom version of the Android OS right? Is it root-enabled?