Ledger's Donjon team hacked a Nothing CMF Phone 1 in 45 seconds. The researchers exploited a flaw in MediaTek's secure boot chain, tracked as CVE-2026-20435, that could affect roughly 25% of all Android smartphones, according to Ledger. The vulnerability targets devices running MediaTek processors with Trustonic's TEE (Trusted Execution Environment). Ledger CTO Charles Guillemet disclosed the finding on March 11, 2026.
The attack works before Android even loads. An attacker with physical access connects the target phone to a laptop via USB, exploits MediaTek's secure boot chain to extract root cryptographic keys, and decrypts the device's storage offline.
Donjon ran the demo with the Nothing CMF Phone 1 powered off. Android's lock screen, USB debugging settings, and OS-level protections offered no resistance because the attack runs at a privilege level below the operating system.
Smartphones aren't built for security. Even when powered off, user data, including PINs and seeds, can be extracted in under a minute.
— Charles Guillemet, CTO of Ledger, wrote on X
Six mobile crypto wallets gave up their seed phrases in the test. Trust Wallet, Kraken Wallet, Phantom, Base, Rabby, and Tangem's mobile wallet all fell to the exploit. The exposure extends beyond cryptocurrency to any sensitive data stored on the device, including messages, photos, financial records, and account credentials.
About 36 million people managed digital assets on mobile phones as of early 2025. Counterpoint Research puts MediaTek's share of the global smartphone processor market at nearly 34%, which means hundreds of millions of devices could carry vulnerable silicon. MediaTek's March 2026 security bulletin lists the affected chipsets, spanning models that power entry-level to flagship phones from OPPO, vivo, OnePlus, and Samsung.
This research proves what we've long warned. Smartphones were never designed to be vaults. If your crypto sits on a phone, it's only as safe as the weakest link in that phone's hardware, firmware, or software.
— Guillemet said in a statement shared with The Block
Donjon disclosed the vulnerability to MediaTek and Trustonic under a 90-day responsible disclosure policy. MediaTek confirmed it provided a fix to device manufacturers on January 5, 2026. Patch distribution now depends on each OEM integrating the fix into their firmware updates. MediaTek said it is not aware of active exploitation in the wild.
Ledger's team has a track record with MediaTek vulnerabilities. In December 2025, Donjon demonstrated a fault injection attack against the MediaTek Dimensity 7300 (MT6878) chipset, using electromagnetic pulses to disrupt the chip's boot process and gain full control of the device. MediaTek responded at the time by saying such attacks fell outside the chipset's intended threat model.
Users of Android phones with MediaTek processors should install the latest security update from their device manufacturer. The fix should be included in patches released after January 2026. Anyone storing cryptocurrency seed phrases in mobile software wallets on a MediaTek-powered device should consider moving those assets to a hardware wallet until the patch is confirmed installed.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.