Ledger’s Donjon hacker lab discovers critical MediaTek vulnerability – potentially affecting 25% of Android phone users

Ledger, the world leader in digital asset security for consumers and enterprises, has uncovered a critical vulnerability in MediaTek-powered Android smartphones that allows an attacker to extract user data – including messages, photos, and even crypto wallet seed phrases – in seconds.

In a proof-of-concept test, Ledger’s white-hat hacker team, the Donjon, plugged a Nothing CMF Phone 1 into a laptop and breached the phone’s foundational security within 45 seconds. Without ever even booting into Android, the exploit automatically recovered the phone’s PIN, decrypted its storage, and extracted the seed phrases from the most popular software wallets: Trust Wallet, Base, Kraken Wallet, Rabby, Tangem’s Mobile Wallet and Phantom.

This vulnerability has the potential to affect Android smartphones using MediaTek processors (whose chips are roughly in a quarter of all Android phones), including the Solana Seeker phone. The flaw sits in MediaTek’s secure boot chain. Before the operating system even loads, an attacker can connect over USB and extract the root cryptographic keys that protect Android’s full-disk encryption. From there, the phone’s storage can be decrypted offline and the PIN brute-forced in seconds – unlocking all application data, including wallet seed phrases.

Smartphones often lack the necessary security to securely store assets. Zero-click exploits can take complete control of a phone, allowing attackers to steal private keys, even without user interaction. The Donjon team found this vulnerability by investigating the security behind the flash encryption in the Android OS.

“This research proves what we’ve long warned: smartphones were never designed to be vaults. While this can be patched, and we encourage all users to update with the latest security fixes provided by MediaTek and phone manufacturers, it shows the challenge of storing secrets on non-secure devices. If your crypto sits on a phone, it’s only as safe as the weakest link in that phone’s hardware, firmware, or software,” said Charles Guillemet, Chief Technology Officer of Ledger. “The Ledger Donjon doesn’t publish this research to create fear—they publish it so the industry can fix it. That’s what the Donjon exists to do.”

The Donjon is Ledger’s internal team of expert white-hat hackers and security researchers dedicated to auditing, testing, and improving the security. Beyond hardening Ledger’s own devices, the Donjon routinely probes third-party hardware and software – disclosing vulnerabilities responsibly so they can be patched before criminals exploit them.

This is the latest in a series of high-profile disclosures from Donjon – it recently uncovered vulnerabilities affecting Android chips and exposed PIN bypass attacks in competitor wallets.

Ledger disclosed the vulnerability to MediaTek following the 90-day disclosure standard, which allowed for security fixes to be released. MediaTek has confirmed it has provided a fix for the vulnerability on the 5th of January 2026 to affected OEMs, and the existence of the vulnerability has been made public on the 2nd of March 2026 (search for CVE-2025-20435).

Users of phones with these chips should install the latest security updates ASAP. Upgradeable firmware is an essential feature of the security arms race, ensuring zero-day exploits can be closed where possible.