A MediaTek vulnerability allowed attackers to steal crypto seed phrases from some Android phones in about 45 seconds, according to Ledger’s Donjon security team.
The flaw affected certain devices using MediaTek processors and the Trustonic Trusted Execution Environment. Although MediaTek released a patch on Jan. 5, users who have not installed the latest updates may still face risk.
Stay ahead in the crypto world – follow us on X for the latest updates, insights, and trends!🚀
Ledger said the issue came from the secure boot chain, which is supposed to make sure a phone starts only with trusted software. However, the flaw let an attacker bypass that protection through a USB connection.
As a result, the attacker could reach sensitive data on the device before Android fully loaded.
In a statement shared with Cointelegraph, Ledger said the exploit could recover a phone’s PIN, decrypt stored data, and extract crypto seed phrases from major wallet apps.
The wallets named were Trust Wallet, Base, Kraken Wallet, Rabby, Tangem’s Mobile Wallet, and Phantom. Therefore, the issue raised concerns about crypto wallet security on mobile devices.
MediaTek vulnerability let attackers bypass the secure boot chain
The MediaTek vulnerability centered on the secure boot chain, which plays a key role in device security.
Normally, this process blocks unauthorized software from running during startup. In this case, however, Ledger said the flaw opened a path around those protections.
Because of that weakness, an attacker with physical access to the phone could connect it to a computer with a USB cable and run the exploit.
The attack did not require the phone to boot into Android first. That detail mattered because it allowed access at a deeper system level.
Ledger’s Donjon team demonstrated the exploit on a Nothing CMF Phone 1. According to the company, the researchers compromised the device in around 45 seconds.
Ledger said,
“Without ever even booting into Android, the exploit automatically recovered the phone’s PIN, decrypted its storage, and extracted the seed phrases from the most popular software wallets.”
Ledger Donjon test raised new crypto wallet security concerns
Ledger said about 25% of Android phones use both MediaTek processors and the Trustonic TEE involved in the flaw. That figure showed the possible scale of exposure before the MediaTek patch. At the same time, it did not mean all those devices were attacked.
The company also pointed to the wider use of phones for digital assets. As of early 2025, nearly 36 million people managed digital assets on mobile devices. Therefore, a single Android security flaw could affect a large number of users who rely on phones for crypto wallet security.
Ledger also referred to earlier testing on the MediaTek Dimensity 7300 (MT6878) in December 2025. It said the team bypassed the device’s protections and gained “full and absolute control over the smartphone, with no security barrier left standing.”
That finding added more context to the risk tied to the MediaTek vulnerability.
MediaTek patch arrived in January as Ledger repeated phone security concerns
MediaTek patched the flaw in January, after Ledger Donjon disclosed the issue. A Ledger spokesperson told Cointelegraph that the company does “not anticipate this to be an ongoing issue.”
Even so, the warning still applied to devices that had not received or installed the latest security update.
The case also matched Ledger’s broader view on mobile security. In June 2020, Charles Guillemet, Ledger’s chief technology officer, told Cointelegraph that mobile phones, whether Android or iPhone, are “very difficult to have secure applications.” His position remained the same in this latest case.
On Wednesday, Guillemet wrote on X:
“Smartphones aren’t built for security. Even when powered off, user data including pins & seeds can be extracted in under a minute.”
He added,
“This research highlights a fundamental architectural difference: General purpose chips are built for convenience. Secure Elements are built for key protection.”
According to Guillemet, a dedicated Secure Element keeps secrets isolated from the rest of the system, even during a physical attack.
Disclosure:This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.
Kriptoworld.com accepts no liability for any errors in the articles or for any financial loss resulting from incorrect information.
Tatevik Avetisyan is an editor at Kriptoworld who covers emerging crypto trends, blockchain innovation, and altcoin developments. She is passionate about breaking down complex stories for a global audience and making digital finance more accessible.
📅 Published: March 12, 2026 • 🕓 Last updated: March 12, 2026
