Android Phone Crypto Wallets Could Be at Risk Due to MediaTek Exploit: Ledger

A vulnerability in certain Android smartphones powered by MediaTek processors could allow attackers to extract encrypted user data in under a minute using only a USB connection, according to new research from cryptocurrency hardware wallet maker Ledger.

Ledger’s internal security research team, known as the Donjon, found that white hat hackers were able to demonstrate the flaw by connecting a Nothing CMF Phone 1 to a laptop and compromising the device’s security in under 45 seconds.

“Donjon has struck again, discovering a MediaTek vulnerability potentially impacting millions of Android phones. Another reminder that smartphones aren’t built for security,” Ledger Chief Technology Officer Charles Guillemet wrote on X. “Even when powered off, user data—including PINs and [seed phrases]—can be extracted in under a minute.”

The Donjon team reported they were able to recover the Nothing CMF Phone 1’s PIN, decrypt its storage, and extract seed phrases from several crypto wallets without booting Android, including Trust Wallet, Base, Kraken Wallet, Rabby, Tangem’s mobile wallet, and Phantom.

Released in 2024 by London-based Nothing, the Nothing CMF Phone 1 is a low-cost and modularly customizable mobile phone that runs the Android operating system. The exploit targets the phone’s secure boot chain, Donjon said, which allows an attacker to connect through USB and extract root cryptographic keys before the operating system loads, enabling the device’s storage to be decrypted offline.

According to a July 2025 report by Chainalysis, personal wallet compromises represented a growing share of total cryptocurrency theft, with attackers increasingly targeting individual users, making up 23.35% of all stolen fund activity YTD in 2025.

Ledger said the Donjon team discovered the vulnerability while analyzing Android’s flash encryption security. The company disclosed the exploit to MediaTek and Trustonic under a 90-day responsible disclosure policy, and the vulnerability was publicly disclosed by MediaTek earlier this month.

Other devices that use MediaTek chips include the crypto-centric Solana Seeker, along with smartphones from brands including Samsung, Motorola, Xiaomi, POCO, Realme, Vivo, OPPO, Tecno, and iQOO. However, it’s not yet clear which other handsets beyond the Nothing CMF Phone 1 may be susceptible to the exploit.

Although the demonstration focused on crypto wallets, Donjon said the exposure could extend to other sensitive information stored on the device, including messages, photos, financial information, and account credentials.

Crypto wallets typically come in two flavors: software and hardware wallets designed to store private keys that allow users to access their digital assets. Software or hot wallets are designed for mobile devices, while physical hardware wallets are meant to be used with desktop or laptop computers. These wallets, like the Ledger Nano S, can be removed from computers for better security.

However, software wallets are more accessible and typically free to download and use, compared to hardware wallets that can vary in price. However, Guillemet said the software-only approach comes with trade-offs, and highlights a fundamental architectural difference between “general-purpose” phone chips and those specifically designed for private key protection.

“General-purpose chips are built for convenience,” he wrote. “Secure Elements are built for key protection. A dedicated Secure Element isolates secrets from the rest of the system, protecting them even under physical attack.”