Security researchers from cryptocurrency hardware wallet manufacturer Ledger have uncovered a severe vulnerability in certain Android smartphones powered by MediaTek processors. The flaw, discovered by Ledger's internal Donjon team, could allow attackers to extract encrypted user data—including device PINs and cryptocurrency wallet seed phrases—in under 45 seconds using only a USB connection, before the Android operating system even boots.
The exploit was demonstrated on a Nothing CMF Phone 1, a low-cost, modular Android device released in 2024. By targeting the phone's secure boot chain, attackers can connect via USB, extract root cryptographic keys, and decrypt the device's storage offline. Ledger CTO Charles Guillemet stated on X, "Even when powered off, user data—including PINs and [seed phrases]—can be extracted in under a minute."
The Donjon team reported successfully recovering the phone's PIN, decrypting its storage, and extracting seed phrases from several popular software crypto wallets, including Trust Wallet, Base, Kraken Wallet, Rabby, Tangem’s mobile wallet, and Phantom. While the demonstration focused on the Nothing phone, other devices using MediaTek chips—including the crypto-centric Solana Seeker and smartphones from Samsung, Motorola, Xiaomi, and others—could potentially be susceptible, though the full scope is not yet clear.
MediaTek issued a fix to device manufacturers in January 2026, but did not publicly address the issue until March, following Ledger's responsible disclosure under a 90-day policy. The vulnerability highlights a growing security concern, as a July 2025 Chainalysis report noted that personal wallet compromises represented 23.35% of all stolen cryptocurrency funds year-to-date, indicating a rising trend of attackers targeting individual users.
Guillemet emphasized the architectural security gap, noting that "general-purpose chips are built for convenience" while "Secure Elements are built for key protection." The discovery underscores the risks associated with software wallets on general-purpose mobile devices compared to dedicated hardware wallets with isolated secure elements.
