Seems about right for Xiaomi
I've owned Xiaomi kit and found the hardware is great but the software always seems to let it down.
Oversecured, a business that scans mobile apps for security issues, says it has identified more than two dozen vulnerabilities over the past few years affecting Android apps from smartphone maker Xiaomi and Google's Android Open Source Project (AOSP). Twenty of the vulnerabilities, we're told, were reported a year ago to …
There is a full report about Pinduoduo's nefarious activities from Chinese researchers (also in English) on GitHub along with samples of the DEX files and a bin file which hid all its activities which isn't too hard to find with a DDG web search.
The GitHub account also contains helpful scripts to be used with Pythons "pwntools" PyPi library to decrypt the strings in the DEX files so you can see how they exploited intents in Android on several different Android phone manufacturers.
Happy Hunting!