Security researchers have identified a serious Android phone vulnerability that could affect the global smartphone ecosystem. The flaw, discovered by the security research team at Ledger, may expose sensitive information from millions of Android smartphones powered by certain Android chipsets. According to researchers, the issue could potentially impact devices representing roughly 25% of Android phones worldwide.
The vulnerability involves specific Android chipsets produced by MediaTek and affects devices that use Trustonic’s Trusted Execution Environment (TEE). Researchers warned that attackers with brief physical access to a vulnerable device could extract sensitive data, including encryption keys and cryptocurrency wallet seed phrases, in less than a minute.
The security issue was identified by Ledger’s internal white-hat security unit, known as the Donjon team. Their investigation revealed that the Android phone vulnerability originates in the device’s boot chain, a critical security process that verifies system components when a phone powers on.
Normally, the boot chain ensures that each stage of the startup process is cryptographically validated before the next stage loads. This mechanism is designed to protect the device’s encryption keys and keep sensitive information secure until the operating system is fully loaded.
However, in certain Android smartphones powered by affected Android chipsets, researchers found that attackers could exploit a weakness before the Android operating system finishes loading. By connecting the phone to a computer via USB, an attacker could bypass several security protections.
The researchers demonstrated that this process allowed automated attempts to guess a user’s PIN, decrypt the phone’s storage, and recover sensitive information such as messages and cryptocurrency wallet seed phrases.
During a proof-of-concept demonstration, Ledger’s Donjon team showed how the Android phone vulnerability could be exploited in under a minute. In their test, a Nothing CMF Phone 1 was connected to a laptop using a USB cable.
Within 45 seconds, researchers were able to recover the device’s PIN code, decrypt its encrypted storage, and extract seed phrases from six cryptocurrency wallet applications: Trust Wallet, Base, Kraken Wallet, Rabby, Tangem, and Phantom.
The attack required only a brief physical connection to a computer and did not involve installing malware or interacting with the phone’s screen. Researchers noted that the vulnerability could allow attackers to obtain the root cryptographic keys responsible for securing full-disk encryption on affected Android smartphones.
Once those keys are extracted, the phone’s data can be decrypted offline.
The Android phone vulnerability specifically affects devices powered by certain MediaTek Android chipsets that rely on Trustonic’s Trusted Execution Environment. MediaTek processors are widely used in Android smartphones, particularly in the budget and midrange device segments.
Industry estimates suggest MediaTek chips power approximately one quarter of Android handsets worldwide, meaning the issue could potentially affect around 25% of Android phones, although not all devices using MediaTek hardware are vulnerable.
The vulnerability has been documented under security case number 2026-20435 in a MediaTek security bulletin. The company has already distributed a firmware fix to smartphone manufacturers, but the patch must be implemented and delivered to users through device updates.
Until those updates are installed, affected Android smartphones could remain vulnerable.
MediaTek confirmed that it provided a security fix to original equipment manufacturers (OEMs) in January.
Charles Guillemet, Chief Technology Officer at Ledger, emphasized that smartphones were never designed to function as highly secure storage systems for sensitive digital assets.
“Smartphones were never designed to be vaults,” Guillemet said.
He added: “If your crypto sits on a phone, it’s only as safe as the weakest link in that phone’s hardware, firmware, or software.”
Ledger advised users of potentially affected Android smartphones to install the latest available security updates as soon as they become available.
This weekly roundup covers the Five Eyes AI warning, TfL cyberattack, KDDI breach, Garfield AI legal milestone, and FBI cybercrime…
A threat actor exploited CVE-2026-20245 in Cisco Catalyst SD-WAN Manager to gain root access, steal data, and erase forensic evidence.
An Iranian hacker accused of a $3.4B cyberattack on USA infrastructure has been arrested in Montenegro on fraud, hacking and…
AI-powered law firm Garfield AI won a landmark case at Wandsworth County Court, marking a major moment for regulated legal…
The Stryker cyberattack legal battle intensifies as the company seeks dismissal of a lawsuit alleging employee data was exposed.
KDDI data breach may have exposed 14.22M emails and passwords after a threat actor exploited third-party software used by ISP…
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More