Hackers can steal Android PINs and crypto wallet data even when phones are switched off, exposing millions globally
- Ledger’s Dungeon team exploited MediaTek phones, recovering crypto wallet PINs and seed phrases
- Attackers can extract root cryptographic keys from powered off Android devices via USB
- Trustonic Secure Execution Environment Fails to Prevent Attacks on a Quarter of Android Devices
Ledger’s hacking team, Donjon, has discovered a vulnerability in MediaTek-powered Android smartphones that allows attackers to access sensitive data in less than a minute.
Using a Nothing CMF Phone 1, the Dungeon completely bypassed the Android operating system, retrieved the PIN, decrypted the storage, and extracted seed phrases from multiple crypto wallets.
The flaw affects devices using Trustonic’s trusted execution environment as well as MediaTek processors, found in approximately one in four Android smartphones worldwide.
Article continues below
Attackers can connect a powered-off phone via USB and retrieve root cryptographic keys before the operating system loads.
Once obtained, these keys enable offline decryption of storage and brute forcing of the device’s PIN, exposing app data including messages, photos, and wallet information.
Zero-click attacks reveal that Android smartphones often lack sufficient hardware and firmware protections to protect sensitive user information from advanced exploits.
“This research proves what we’ve long warned: smartphones were never designed to be safes. While this can be fixed, we encourage all users to update with the latest security patches,” said Charles Guillemet, Ledger’s chief technology officer.
“If your crypto is on a phone, its security depends on the weakest link in that phone’s hardware, firmware, or software.”
The Donjon team conducts regular audits of Ledger devices and third-party hardware, responsibly disclosing vulnerabilities to allow manufacturers to release patches before an exploitation occurs.
Ledger disclosed this vulnerability to MediaTek and Trustonic as part of the standard 90-day disclosure process, allowing time for security patches to reach affected OEMs.
MediaTek confirmed that it provided updates to OEMs on January 5, 2026 and the vulnerability was publicly disclosed on March 2, 2026 as CVE-2025-20435.
Users should immediately install security updates to mitigate potential attacks, as upgradable firmware remains essential to effectively patch zero-day exploits.
This exploit reveals the risks inherent in relying on mobile devices to store private data, including crypto wallets and other sensitive information.
All data stored on Android smartphones remains susceptible to hardware attacks, emphasizing that immediate patching is the only practical defense against advanced threats.
Users should be aware that even modern business smartphones carry inherent security risks, and hardware, firmware, or software vulnerabilities can expose sensitive data without warning.
Sensitive business or personal data should not be considered secure on mobile phones, and relying on these devices alone to store assets is inherently risky.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
