- Ledger’s Donjon team exploited MediaTek phones, recovering PINs and seed phrases from crypto wallets
- Attackers can extract root cryptographic keys from powered off Android devices via USB
- Trustonic Trusted Execution Environment Fails to Prevent Attacks on a Quarter of Android Devices
Ledger’s white hat hacker team Donjon discovered a vulnerability in MediaTek-powered Android smartphones that allows attackers to access sensitive data in less than a minute.
Using a Nothing CMF Phone 1, Donjon completely bypassed the Android OS, retrieved the PIN, decrypted the storage, and extracted seed phrases from multiple crypto wallets.
The flaw affects devices that use Trustonic’s trusted execution environment alongside MediaTek processors, which are found in approximately one in four Android smartphones worldwide.
Article continues below.
Attackers can connect a powered-off phone via USB and recover root cryptographic keys before the operating system loads.
Once obtained, these keys allow offline decryption of the device’s storage and brute-forcing the PIN, exposing app data including messages, photos, and wallet information.
No-click attacks reveal that Android smartphones often lack sufficient hardware and firmware protections to protect sensitive user information from advanced vulnerabilities.
“This research demonstrates what we have long warned: smartphones were never designed to be vaults. While this can be patched, we encourage all users to update with the latest security fixes,” said Charles Guillemet, chief technology officer at Ledger.
“If your crypto is on a phone, it is only as secure as the weakest link in that phone’s hardware, firmware or software.”
The Donjon team conducts regular audits of Ledger devices and third-party hardware, responsibly disclosing vulnerabilities to allow manufacturers to release fixes before exploitation occurs.
Ledger disclosed this vulnerability to MediaTek and Trustonic under the standard 90-day disclosure process, allowing time for security patches to reach affected OEMs.
MediaTek confirmed that it delivered updates to OEMs on January 5, 2026, and the vulnerability was publicly disclosed on March 2, 2026 as CVE-2025-20435.
Users should immediately install security updates to mitigate potential attacks, as updateable firmware remains critical to effectively patch zero-day exploits.
This exploit reveals the risks inherent in relying on mobile devices to store private data, including crypto wallets and other sensitive information.
All data stored on Android smartphones remains susceptible to hardware-based attacks, emphasizing that immediate patching is the only practical defense against advanced threats.
Users should be aware that even modern business smartphones carry inherent security risks and that hardware, firmware or software failures can expose sensitive data without warning.
Sensitive business or personal data should not be considered secure on mobile phones, and relying solely on these devices to store assets is inherently risky.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
