Global smartphone player Xiaomi has fixed some bugs that were identified in its mobile payment mechanism by cyber security researchers, Check Point Research (CPR) said.

Left unpatched, an attacker could steal private keys used to sign Wechat Pay control and payment packages, and an unprivileged Android app could have created and signed a fake payment package.

The cyber-security researchers disclosed its findings to Xiaomi, which acknowledged and issued immediate fixes for the bugs.

"We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application," said Slava Makkaveev, security researcher at Check Point.

Over 1 billion users could have been affected by the bugs, if left unpatched.

"We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi's trusted applications are being reviewed for security issues," Makkaveev added.

The cyber-security firm  immediately disclosed the findings to Xiaomi, which "worked swiftly to issue a fix".

The devices studied by CPR were powered by MediaTek chips.

The team detailed two ways to attack the trusted code.

"First, from an unprivileged Android app, where the user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money," said the CPR team.

Second, if the attacker has the target devices in their hands.

"The attacker roots the device, then downgrades the trust environment, and then runs the code to create a fake payment package without an application," it added.