Security researchers at Ledger have identified a vulnerability affecting certain Android smartphones powered by MediaTek processors that could allow attackers to extract encrypted user data in less than a minute using only a USB connection.
The discovery was made by Ledgerās internal security research team known as Donjon, which demonstrated the exploit using the Nothing CMF Phone 1, a modular Android device released in 2024 by the London-based technology firm Nothing. During the test, researchers connected the device to a laptop and successfully compromised its security in approximately 45 seconds.
According to the Donjon teamās findings, the vulnerability allows attackers to recover a deviceās PIN, decrypt the phoneās storage, and extract sensitive data without the Android operating system ever booting. In the demonstration, researchers were able to retrieve seed phrases from multiple cryptocurrency wallets stored on the device.
The wallets affected in the test included Trust Wallet, Kraken Wallet, Phantom, and Rabby Wallet, among others commonly used to manage digital assets. The exploit automatically recovered the phoneās PIN, decrypted storage, and extracted wallet seed phrases before the operating system was even loaded.
By accessing root cryptographic keys prior to system initialization, the attacker can decrypt the phoneās storage offline and retrieve protected information directly from the hardware.
Ledger reported the vulnerability to MediaTek and the mobile security company Trustonic under a 90-day responsible disclosure policy. MediaTek reportedly provided a patch to device manufacturers in January, although the company did not publicly acknowledge the issue until March.
The potential exposure is notable because MediaTek processors are widely used across the Android ecosystem. Devices from brands such as Samsung, Motorola, Xiaomi, OPPO, and Vivo incorporate these chips. The crypto-focused Solana Seeker also uses MediaTek hardware, although it remains unclear which specific models beyond the Nothing CMF Phone 1 could be vulnerable.
The discovery comes as attacks targeting individual crypto users continue to rise. According to a 2025 report by Chainalysis, compromises of personal wallets accounted for approximately 23.35% of all cryptocurrency theft activity recorded that year.
Ledger noted that while the demonstration focused on cryptocurrency wallets, the same vulnerability could potentially expose other sensitive data stored on the device, including private messages, photos, financial information, and account credentials.
Source: Research from the Donjon security team at Ledger
Disclaimer: This content is for informational purposes only and does not constitute financial, cybersecurity, or investment advice. Security vulnerabilities and device protections may change as software updates and patches are released.
