Mobile phone chipset maker MediaTek patched a vulnerability affecting its chipsets in January that could have allowed an attacker to steal crypto seed phrases on affected devices using a USB cable and the right software.
The flaw was discovered by Ledger Donjon’s white-collar security team, which shared the vulnerability with MediaTek ahead of the Jan. 5 patch release, though users who haven’t installed the latest security patches are advised to do so, Ledger said.
The test device failed in 45 seconds
According to Ledger, the flaw stems from MediaTek’s secure boot chain, a security mechanism built into its chips that ensures the phone is safe and only boots with authorized firmware.
In a statement released to Cointelegraph, Ledger explained that this flaw means an attacker could gain access to an Android phone, connect it to a computer via USB and bypass security protections, potentially gaining access to sensitive data on the device, including crypto wallet seed phrases.
About 25% of Android phones use the Trustonic Trusted Execution Environment (TEE) and MediaTek processors, which exploit security flaws.
Donjon demonstrated the hack by connecting the Nothing CMF Phone 1 to a laptop and compromising the device’s security in about 45 seconds.
“Without even booting into Android, the exploit automatically reset the phone’s PIN, unlocked its storage, and extracted seed phrases from the most popular software wallets: Trust Wallet, Base, Kraken Wallet, Rabby, Tangem Mobile Wallet, and Phantom,” Ledger said.
While Ledger urged users to update their devices, a Ledger spokesperson told Cointelegraph that they “do not anticipate this to be an ongoing issue.”
Ledger says cell phones are never safe
With nearly 36 million people managing digital assets on their phones by early 2025, even one vulnerability could put a large number of wallets at risk.
In December 2025, Ledger revealed that it had tested an attack on the MediaTek Dimensity 7300 (MT6878) and bypassed its security measures to “remain full and absolute control over the smartphone without any security barriers”.
Ledger Chief Technology Officer Charles Guillemette told Cointelegraph in June 2020 that mobile phones, whether Android or iPhone, “have a very hard time having secure apps.”
related to: SlowMist introduces the Web3 security stack for autonomous AI agents
He reinforced a similar view on Wednesday, writing in X: “Smartphones are not built for security. Even when turned off, user data – including pins and seeds – can be extracted in minutes.”
“This research highlights a fundamental architectural difference: general-purpose chips are built for convenience. Secure elements are built to protect keys. The secure element isolates the secret from the rest of the system and protects them even under physical attack,” he said.
Magazine: All 21 million bitcoins from quantum computers are at risk
