Security researchers have identified a serious Android phone vulnerability that could affect the global smartphone ecosystem. The flaw, discovered by the security research team at Ledger, may expose sensitive information from millions of Android smartphones powered by certain Android chipsets. According to researchers, the issue could potentially impact devices representing roughly 25% of Android phones worldwide. 

The vulnerability involves specific Android chipsets produced by MediaTek and affects devices that use Trustonic’s Trusted Execution Environment (TEE). Researchers warned that attackers with brief physical access to a vulnerable device could extract sensitive data, including encryption keys and cryptocurrency wallet seed phrases, in less than a minute. 

Android Phone Vulnerability Linked to Boot Chain Weakness 

The security issue was identified by Ledger’s internal white-hat security unit, known as the Donjon team. Their investigation revealed that the Android phone vulnerability originates in the device’s boot chain, a critical security process that verifies system components when a phone powers on. 

Normally, the boot chain ensures that each stage of the startup process is cryptographically validated before the next stage loads. This mechanism is designed to protect the device’s encryption keys and keep sensitive information secure until the operating system is fully loaded. 

However, in certain Android smartphones powered by affected Android chipsets, researchers found that attackers could exploit a weakness before the Android operating system finishes loading. By connecting the phone to a computer via USB, an attacker could bypass several security protections. 

The researchers demonstrated that this process allowed automated attempts to guess a user’s PIN, decrypt the phone’s storage, and recover sensitive information such as messages and cryptocurrency wallet seed phrases. 

Proof-of-Concept Attack Completed in 45 Seconds 

During a proof-of-concept demonstration, Ledger’s Donjon team showed how the Android phone vulnerability could be exploited in under a minute. In their test, a Nothing CMF Phone 1 was connected to a laptop using a USB cable. 

Within 45 seconds, researchers were able to recover the device’s PIN code, decrypt its encrypted storage, and extract seed phrases from six cryptocurrency wallet applications: Trust Wallet, Base, Kraken Wallet, Rabby, Tangem, and Phantom. 

The attack required only a brief physical connection to a computer and did not involve installing malware or interacting with the phone’s screen. Researchers noted that the vulnerability could allow attackers to obtain the root cryptographic keys responsible for securing full-disk encryption on affected Android smartphones.

Once those keys are extracted, the phone’s data can be decrypted offline. 

Android Chipsets and Devices Potentially Affected 

The Android phone vulnerability specifically affects devices powered by certain MediaTek Android chipsets that rely on Trustonic’s Trusted Execution Environment. MediaTek processors are widely used in Android smartphones, particularly in the budget and midrange device segments. 

Industry estimates suggest MediaTek chips power approximately one quarter of Android handsets worldwide, meaning the issue could potentially affect around 25% of Android phones, although not all devices using MediaTek hardware are vulnerable. 

The vulnerability has been documented under security case number 2026-20435 in a MediaTek security bulletin. The company has already distributed a firmware fix to smartphone manufacturers, but the patch must be implemented and delivered to users through device updates. 

Until those updates are installed, affected Android smartphones could remain vulnerable. 

MediaTek confirmed that it provided a security fix to original equipment manufacturers (OEMs) in January. 

Charles Guillemet, Chief Technology Officer at Ledger, emphasized that smartphones were never designed to function as highly secure storage systems for sensitive digital assets. 

“Smartphones were never designed to be vaults,” Guillemet said. 

He added: “If your crypto sits on a phone, it’s only as safe as the weakest link in that phone’s hardware, firmware, or software.” 

Ledger advised users of potentially affected Android smartphones to install the latest available security updates as soon as they become available.