Critical Android Vulnerability Exposes Encryption Keys and Crypto Wallet Data
Security researchers at Ledger’s Donjon team have uncovered a severe vulnerability in certain Android smartphones, potentially affecting up to 25% of devices worldwide. The flaw, tied to specific MediaTek chipsets using Trustonic’s Trusted Execution Environment (TEE), allows attackers with brief physical access to extract sensitive data including encryption keys and cryptocurrency wallet seed phrases in under a minute.
The issue stems from a weakness in the device’s boot chain, a security mechanism that validates system components during startup. Normally, this process protects encryption keys until the OS fully loads. However, researchers demonstrated that by connecting a vulnerable phone to a computer via USB, attackers could bypass security protections before the OS completes booting. In a proof-of-concept test using a Nothing CMF Phone 1, the Donjon team recovered the device’s PIN, decrypted storage, and extracted seed phrases from six crypto wallets Trust Wallet, Base, Kraken Wallet, Rabby, Tangem, and Phantom within 45 seconds.
The vulnerability, tracked as CVE-2026-20435 in MediaTek’s security bulletin, affects devices relying on certain MediaTek processors, which are prevalent in budget and midrange Android phones. MediaTek has issued a firmware fix to manufacturers, but users must install pending updates to mitigate the risk. Until then, affected devices remain exposed to offline decryption attacks once root cryptographic keys are extracted.
Ledger’s CTO, Charles Guillemet, noted that smartphones were not designed as secure storage for digital assets, emphasizing that their security depends on the integrity of hardware, firmware, and software. The discovery underscores the risks of storing sensitive data on mobile devices without additional safeguards.
Source: https://thecyberexpress.com/android-phone-vulnerability-mediatek-chipsets/
Tangem cybersecurity rating report: https://www.rankiteo.com/company/tangem
Kraken cybersecurity rating report: https://www.rankiteo.com/company/krakenfx
Nothing cybersecurity rating report: https://www.rankiteo.com/company/nothingtech
MediaTek cybersecurity rating report: https://www.rankiteo.com/company/mediatek
Coinbase cybersecurity rating report: https://www.rankiteo.com/company/coinbase
"id": "TANKRANOTMEDCOI1773311566",
"linkid": "tangem, krakenfx, nothingtech, mediatek, coinbase",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Up to 25% of Android devices '
'worldwide',
'industry': 'Technology/Hardware',
'name': 'MediaTek',
'type': 'Semiconductor Manufacturer'},
{'industry': 'Cybersecurity',
'name': 'Trustonic',
'type': 'Security Software Provider'},
{'industry': 'Consumer Electronics',
'name': 'Nothing CMF Phone 1',
'type': 'Smartphone Manufacturer'},
{'industry': 'FinTech',
'name': 'Trust Wallet',
'type': 'Cryptocurrency Wallet Provider'},
{'industry': 'FinTech',
'name': 'Base',
'type': 'Cryptocurrency Wallet Provider'},
{'industry': 'FinTech',
'name': 'Kraken Wallet',
'type': 'Cryptocurrency Wallet Provider'},
{'industry': 'FinTech',
'name': 'Rabby',
'type': 'Cryptocurrency Wallet Provider'},
{'industry': 'FinTech',
'name': 'Tangem',
'type': 'Cryptocurrency Wallet Provider'},
{'industry': 'FinTech',
'name': 'Phantom',
'type': 'Cryptocurrency Wallet Provider'}],
'attack_vector': 'Physical Access',
'customer_advisories': 'Users of affected Android devices should install '
'pending updates to mitigate the risk.',
'data_breach': {'data_encryption': 'Weakened (due to vulnerability in boot '
'chain)',
'data_exfiltration': 'Possible (attackers can extract data)',
'personally_identifiable_information': 'Cryptocurrency wallet '
'seed phrases '
'(indirect PII risk)',
'sensitivity_of_data': 'High (cryptographic keys, financial '
'data)',
'type_of_data_compromised': 'Encryption keys, cryptocurrency '
'wallet seed phrases'},
'description': 'Security researchers at Ledger’s Donjon team uncovered a '
'severe vulnerability in certain Android smartphones with '
'specific MediaTek chipsets using Trustonic’s Trusted '
'Execution Environment (TEE). The flaw allows attackers with '
'brief physical access to extract sensitive data, including '
'encryption keys and cryptocurrency wallet seed phrases, in '
'under a minute by bypassing security protections during the '
'boot process.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'affected manufacturers and crypto '
'wallet providers',
'data_compromised': 'Encryption keys, cryptocurrency wallet seed '
'phrases',
'identity_theft_risk': 'High (due to exposure of encryption keys '
'and seed phrases)',
'payment_information_risk': 'High (cryptocurrency wallet data)',
'systems_affected': 'Android smartphones with specific MediaTek '
'chipsets'},
'investigation_status': 'Vulnerability disclosed, patch available',
'lessons_learned': 'Smartphones may not be secure enough for storing '
'sensitive digital assets like cryptocurrency wallet seed '
'phrases. Security depends on the integrity of hardware, '
'firmware, and software.',
'post_incident_analysis': {'corrective_actions': 'MediaTek issued a firmware '
'fix; users must install '
'updates.',
'root_causes': 'Weakness in the device’s boot '
'chain security mechanism, allowing '
'bypass of security protections '
'before the OS fully loads.'},
'recommendations': 'Users should install firmware updates promptly, avoid '
'storing sensitive data on mobile devices without '
'additional safeguards, and consider using dedicated '
'hardware wallets for cryptocurrency storage.',
'references': [{'source': 'Ledger’s Donjon team'},
{'source': 'MediaTek Security Bulletin'}],
'response': {'containment_measures': 'MediaTek issued a firmware fix to '
'manufacturers',
'remediation_measures': 'Users must install pending updates to '
'mitigate the risk',
'third_party_assistance': 'Ledger’s Donjon team (security '
'researchers)'},
'title': 'Critical Android Vulnerability Exposes Encryption Keys and Crypto '
'Wallet Data',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-20435 (MediaTek chipset boot chain '
'weakness)'}