- Ledger’s Donjon team leveraged MediaTek phones, recreated PINs and crypto wallet seed sets
- Attackers can extract cryptographic root keys from powered-down Android devices via USB
- Trustonics Trusted Execution Environment does not prevent attacks on a quarter of Android devices
Ledger’s white-hat hacking team, Donjon, discovered a vulnerability in MediaTek-powered Android smartphones that allows attackers to access sensitive data in less than a minute.
Using a Nothing CMF Phone 1, Donjon completely bypassed the Android operating system, recovered the PIN, decrypted storage and extracted seed phrases from several crypto wallets.
The flaw affects devices that use Trustonics Trusted Execution Environment with MediaTek processors, found in about one in four Android smartphones worldwide.
The article continues below
Attackers can connect a powered-off phone via USB and obtain root cryptographic keys before the operating system loads.
Once obtained, these keys allow offline storage decryption and brute-forcing of the device’s PIN, exposing application data, including messages, photos and wallet information.
Zero-click attacks reveal that Android smartphones often lack sufficient hardware and firmware protections to secure sensitive user information against advanced exploits.
“This research proves what we’ve long warned about: smartphones were never designed to be vaults. Although this can be patched, and we encourage all users to update with the latest security patches,” said Charles Guillemet, Chief Technology Officer at Ledger.
“If your crypto sits on a phone, it’s only as secure as the weakest link in the phone’s hardware, firmware, or software.”
The Donjon team conducts regular audits of Ledger’s devices and third-party hardware and responsibly discloses vulnerabilities to allow manufacturers to issue patches before exploitation occurs.
Ledger disclosed this vulnerability to MediaTek and Trustonic during the standard 90-day disclosure process, allowing time for security patches to reach affected OEMs.
MediaTek confirmed that it provided updates to OEMs on January 5, 2026, and the vulnerability was published on March 2, 2026 as CVE-2025-20435.
Users should immediately install security updates to mitigate potential attacks, as upgradable firmware remains critical for effective patching of zero-day exploits.
This exploit exposes the risks associated with relying on mobile devices to store private data, including crypto wallets and other sensitive information.
All data stored on Android smartphones remains susceptible to hardware-based attacks, emphasizing that immediate patching is the only practical defense against advanced threats.
Users should be aware that even modern business smartphones have inherent security risks, and hardware, firmware or software bugs can expose sensitive data without warning.
Sensitive business or personal data should not be considered safe on mobile phones, and reliance on these devices solely for asset storage is inherently risky.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
