Major MediaTek security flaw could expose data on millions of Android phones

Security researchers have discovered a serious vulnerability in MediaTek-powered Android phones that could allow attackers to extract sensitive user data even when the device is powered off.

The flaw was uncovered by Donjon, the hardware security research team run by crypto hardware wallet company Ledger. According to Ledger CTO Charles Guillemet’s posts on X, the vulnerability could affect millions of Android devices with MediaTek processors that use Trustonic’s Trusted Execution Environment (TEE).

Guillemet said the team used the CMF Phone 1 by Nothing to demonstrate the exploit and managed to gain access to the phone’s protected data in less than a minute.

“The Ledger Donjon plugged a CMF Phone 1 into a laptop and breached the phone’s foundational security within 45 seconds,” he wrote.

According to the researchers, the exploit works without ever booting the Android operating system. Once the phone is connected to a computer, the attack can automatically retrieve the device’s PIN, decrypt its storage, and extract seed phrases from popular software cryptocurrency wallets.

These seed phrases are essentially the master keys used to recover crypto wallets, making them extremely valuable targets for attackers.

Many MediaTek devices rely on a Trusted Execution Environment (TEE), a secure area inside the main processor, to protect sensitive data. The TEE is protected through software isolation and hardware privileges, but it’s still very much a part of the main chip.

In contrast, Pixel phones, iPhones, and many Snapdragon devices use dedicated hardware security processors such as the Titan M2, Secure Enclave, or the Qualcomm Secure Processing Unit to keep sensitive information isolated from the main chip.

Guillemet said the issue highlights a deeper design problem with many consumer devices.

“General-purpose chips are built for convenience,” he explained. “Secure Elements are built for key protection.”

Unlike typical smartphone chips, dedicated Secure Elements isolate sensitive secrets from the rest of the system. According to Ledger, this separation helps protect the hardware from physical attacks.

The vulnerability found in MediaTek chips has been assigned the identifier CVE-2026-20435. The Donjon team says it followed a responsible disclosure process and informed MediaTek before making the vulnerability public.

MediaTek confirmed to the security research firm that it provided fixes to device manufacturers on January 5, 2026, meaning the vulnerability should be patched in software updates from affected phone makers.

However, it’s unclear if the vulnerability has been exploited by attackers and its potential impact on existing devices. MediaTek chips power millions of devices across multiple price tiers.

The chipmaker’s March security bulletin lists the affected processors, including those powering entry-level to flagship phones from the likes of OPPO, vivo, OnePlus, and Samsung. You can compare the model names and check online whether your phone features one of the affected chipsets, though patches for the flaw should already be available or be coming soon from your phone maker.

This isn’t the first time Ledger’s research group has uncovered security weaknesses in MediaTek hardware. Last year, the Donjon team discovered fault injection vulnerabilities in the MediaTek Dimensity 7300 chipset, resulting in a complete security compromise.

At the time, MediaTek responded by saying such attacks fall outside the intended threat model for the chipset.