Could this be a possible vector? The fact that it is a Xiaomi device? They run a custom version of the Android OS right? Is it root-enabled? 
It is not rooted by default and it would take some effort to do so. They use a modified version of Android but I wouldn't suspect them because of that. Every single manufacturer does so. Also, they aren't a completely random Chinese brand.