Ledger Uncovers Critical Android Vulnerability That Could Compromise Up to One‑Quarter of Devices
Wednesday, March 11, 2026 – Ledger’s internal security team identified a flaw in MediaTek‑based Android phones that allows an attacker to extract full‑disk encryption keys and crypto‑wallet credentials in under a minute, even when the device is powered off.
The discovery
Ledger’s in‑house white‑hat group, known as the Donjon, revealed a vulnerability affecting Android smartphones that rely on MediaTek system‑on‑chip (SoC) processors and Trustonic’s Trusted Execution Environment (TEE).
The flaw enables an adversary to connect to a target phone via USB before the operating system boots, harvest the root cryptographic keys that protect the device’s encrypted storage, and subsequently decrypt the data offline. In a laboratory demonstration, the team plugged a Nothing CMF Phone 1 into a laptop and, within 45 seconds, recovered the device’s PIN, decrypted its internal storage, and extracted seed phrases from six popular cryptocurrency wallet applications, including Trust Wallet, Base, Kraken Wallet, Rabby, Tangem and Phantom.
Technical overview
- Attack surface – The exploit operates at the pre‑boot stage. By leveraging a weakness in the MediaTek bootloader and the way Trustonic’s TEE provisions cryptographic material, the attacker can bypass the device’s full‑disk encryption without needing the user’s PIN or biometric data.
- Speed – The proof‑of‑concept shows a full compromise in under a minute, far faster than typical cold‑boot or side‑channel attacks.
- Impact scope – Ledger estimates that as many as 25 % of Android phones in circulation could be vulnerable, given the market share of MediaTek chips in mid‑range and budget devices. Phones that embed the Trustonic TEE—such as the Solana Seeker model—are explicitly listed as affected.
Response from vendors
After following a standard 90‑day responsible disclosure timeline, Ledger reported the issue to both MediaTek and Trustonic. MediaTek confirmed that a patch was issued to original equipment manufacturers (OEMs) in January 2026. Trustonic has yet to release a public statement about a firmware update.
Ledger’s CTO, Charles Guillemet, warned that smartphones were never intended to serve as crypto vaults, emphasizing that security is only as strong as the weakest component in the hardware‑software chain.
“If your crypto sits on a phone, it’s only as safe as the weakest link in that phone’s hardware, firmware, or software,” Guillemet said.
Recommendations for users
- Apply updates immediately – Users of potentially affected devices should verify that the latest security patch from their OEM is installed.
- Prefer hardware wallets – Storing private keys on dedicated hardware devices remains the safest practice.
- Enable additional layers – Where possible, use app‑level encryption, two‑factor authentication, and avoid keeping large crypto balances on mobile devices.
Ledger advises anyone uncertain about their device’s status to consult the OEM’s support channels or check the MediaTek security bulletin for the specific patch version.
Broader context
The revelation arrives amid a surge in crypto‑related thefts. According to data cited by The Defiant, 2025 set a record for crypto crime, with illicit actors siphoning roughly $154 billion globally. High‑profile incidents—from North Korea’s estimated $2 billion haul to the $1.5 billion Bybit breach—highlight the escalating threat landscape.
While most headline‑grabbing attacks target centralized exchanges, the Ledger finding underscores that the mobile ecosystem is an increasingly attractive vector. Recent incidents, such as the $7 million theft from Trust Wallet users via a malicious Chrome extension, illustrate how attackers combine social engineering, supply‑chain compromises, and now low‑level hardware exploits to reach private keys.
Key takeaways
| What happened | A critical pre‑boot vulnerability in MediaTek‑based Android phones allows USB‑connected attackers to steal encryption keys and decrypt the device, even when powered off. |
|---|---|
| Potential reach | Up to 25 % of Android devices, especially those using Trustonic’s TEE (e.g., Solana Seeker). |
| Speed of compromise | Less than one minute in a controlled test, extracting PINs, storage encryption, and crypto‑wallet seed phrases. |
| Vendor response | MediaTek released a fix to OEMs in January 2026; Trustonic’s remediation timeline remains unclear. |
| User action | Install the latest firmware/security update immediately; consider moving crypto assets to dedicated hardware wallets. |
| Industry implication | Highlights the growing importance of hardware‑level security audits for mobile devices as crypto adoption expands. |
Outlook
The Ledger disclosure serves as a reminder that mobile phones, despite their convenience, are not designed to be high‑value key custodians. As the cryptocurrency ecosystem matures, the pressure on device manufacturers to harden boot‑loader and TEE implementations is likely to increase. Security researchers and hardware vendors will be watching closely to see whether additional vulnerabilities are uncovered in the wake of this announcement, and whether a coordinated industry response can restore confidence in mobile crypto storage.
For now, users should treat their smartphones as a front‑line access point—convenient for browsing and light transactions, but unsuitable for long‑term storage of private keys.
Source: https://thedefiant.io/news/hacks/ledger-donjon-team-finds-android-vulnerability
