SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Dark moody android phone usb shadowy hand crypto security scene
#
MDM
#
Physical Security
#
Breach Prevention

Critical MediaTek flaw lets attackers steal phone crypto

Thu, 12th Mar 2026
Author image
By Sean Mitchell, Publisher

Ledger has disclosed a critical vulnerability affecting some Android smartphones that use certain MediaTek processors. The flaw, which requires physical access to the device, could let an attacker extract sensitive data from a powered-off handset in under a minute.

Ledger's Donjon security research team demonstrated a proof-of-concept attack against a Nothing CMF Phone 1 connected to a laptop over USB. In the test, the team breached the phone's foundational security within 45 seconds, without booting into Android.

According to Ledger, the exploit recovered the handset PIN, decrypted storage, and extracted seed phrases from several software wallets. Affected apps named by Ledger include Trust Wallet, Base, Kraken Wallet, Rabby, Tangem's Mobile Wallet, Phantom, and others.

Boot chain flaw

Ledger said the weakness sits in MediaTek's secure boot chain, which runs before the operating system loads. The issue could potentially impact software and security solutions on the device that rely on the seed provided by MediaTek's secure boot flow. A successful attacker could connect the device over USB and extract cryptographic keys that protect Android full-disk encryption.

With those keys, the phone's storage can be decrypted offline and the PIN can be brute-forced quickly, exposing application data on the device, including wallet recovery phrases and other secrets.

The disclosure highlights a broader class of risks that blends traditional mobile security concerns with the growth of software wallets on phones. Under the same conditions, messages, photos, and saved credentials could also be exposed.

Ledger estimates the issue could affect a significant portion of smartphones using MediaTek chips. While Ledger's research initially cited various devices, it has been noted that current Solana Seeker handsets (Version 1 and 2) do not utilize the specific third-party security solutions mentioned in some initial reports.

Attack conditions

Ledger's description confirms the attack requires physical access to the phone and a USB connection. Its proof-of-concept used a laptop. The scenario does not require the device to be unlocked or for Android to be running.

Ledger said it found the issue while investigating security behind flash encryption in Android. It also pointed to other phone attacks that do not require user interaction, including so-called zero-click exploits that can take control of a device remotely.

Donjon is Ledger's internal security research team. It audits Ledger products and investigates third-party hardware and software, using responsible disclosure so vendors can issue fixes before criminals exploit vulnerabilities.

Vendor fixes

Ledger said it disclosed the vulnerability to MediaTek under a 90-day disclosure standard. Following industry best practice, the issue was previously identified, and MediaTek has confirmed it has already issued a fix to affected device manufacturers (OEMs). The vulnerability has been made public as CVE-2025-20435.

As per best practice, companies providing security solutions on affected chipsets are expected to work with MediaTek and OEMs to ensure customers remain protected. Patch distribution for Android devices varies by manufacturer and model. Updates often depend on an original equipment manufacturer integrating vendor fixes into firmware and security releases.

Ledger urged users of affected phones to install the latest available security updates, and argued that upgradeable firmware is important for long-term device security.

For the crypto industry, the disclosure underscores a recurring tension between convenience and custody. Many users keep recovery phrases and keys in software wallets on general-purpose phones, and security teams have long warned that handset compromise can lead directly to theft of digital assets.

Ledger, which sells hardware devices that store private keys offline, said the research is part of a broader effort to improve security across the ecosystem.

"This research proves what we've long warned: smartphones were never designed to be vaults. While this can be patched, and we encourage all users to update with the latest security fixes provided by MediaTek and phone manufacturers, it shows the challenge of storing secrets on non-secure devices. If your crypto sits on a phone, it's only as safe as the weakest link in that phone's hardware, firmware, or software," said Charles Guillemet, Chief Technology Officer, Ledger.

"The Ledger Donjon doesn't publish this research to create fear - they publish it so the industry can fix it. That's what the Donjon exists to do," Guillemet added.

Related stories
Automotive microcontroller market set to hit USD $15.1bn
Vodafone & Google Cloud launch AI & security tools
ISACA launches AI risk certification amid governance gap
Turning security into a story: How managed service providers use reporting to drive retention and revenue
Barracuda spots 7 million device code phishing attacks

Top stories

AI tools widen cyber attack threat, Flashpoint warns
AI flaws & supply-chain risks top new pentesting report
Exclusive: Google Cloud on the road to autonomous SecOps
Zapier expands AI governance controls for enterprise users
Avatier launches offline card after Stryker cyberattack