Critical MediaTek Flaw Exposes Android Wallet Seeds in 45 Seconds
PARIS, FRANCE — March 13, 2026. Ledger Donjon, the elite security research arm of hardware wallet manufacturer Ledger, has uncovered a critical vulnerability in MediaTek chipsets that allows attackers to extract cryptocurrency wallet seed phrases from powered-off Android devices in under 45 seconds. Designated CVE-2025-20435, this hardware-level flaw affects millions of Android smartphones and tablets globally, posing an unprecedented threat to mobile cryptocurrency storage. The discovery, announced today, reveals how physical access to a vulnerable device enables rapid seed extraction without forensic tools or specialized hardware, fundamentally challenging mobile security assumptions for cryptocurrency users.
Ledger Donjon Discovers MediaTek Hardware Vulnerability
Charles Guillemet, Ledger’s Chief Technology Officer and head of Ledger Donjon, detailed the vulnerability in a technical briefing on March 12, 2026. The flaw resides in the secure boot process of specific MediaTek system-on-chip (SoC) designs, particularly affecting mid-range and budget Android devices manufactured between 2021 and 2024. Researchers discovered that a malicious actor with brief physical access could exploit this vulnerability to dump the device’s entire memory contents, including any stored seed phrases from popular wallet applications like Trust Wallet, MetaMask Mobile, and Exodus. Consequently, the attack works even when the phone is turned off, as the exploit targets the chip’s boot ROM before any operating system security measures activate.
Ledger Donjon’s team first identified anomalous memory access patterns during routine security testing of Android integration with Ledger Live in late 2025. Their investigation, spanning four months, traced the issue to a privilege escalation vulnerability in MediaTek’s proprietary secure environment. The researchers successfully demonstrated a proof-of-concept attack that extracts a 12-word seed phrase in 43 seconds. MediaTek assigned the vulnerability identifier CVE-2025-20435 and confirmed affected chip series include the Dimensity 700, 800, and 900 series, along with older Helio G95 and P90 platforms. These chips power devices from manufacturers like Xiaomi, Realme, Oppo, and TCL.
Impact on Millions of Android Cryptocurrency Users
The CVE-2025-20435 vulnerability directly impacts an estimated 280 million active Android devices worldwide, according to device telemetry data from analytics firm App Annie. Security experts warn that cryptocurrency users who store seed phrases or private keys in note-taking apps, password managers, or even encrypted storage on vulnerable devices face immediate risk. The attack requires only two to three minutes of unsupervised access to the physical device. Unlike software exploits, this hardware-level flaw cannot be patched with a standard operating system update. Instead, it requires a firmware update from the device manufacturer, a process that often experiences significant delays for mid-range phones.
- Immediate Physical Threat: The exploit enables seed extraction from powered-off devices, negating protections like screen locks or biometric authentication.
- Widespread Device Vulnerability: Over 50 distinct Android smartphone models across multiple brands contain the affected MediaTek chipsets.
- Irreversible Financial Risk: A compromised seed phrase grants permanent access to all cryptocurrency assets associated with that wallet, with no recovery mechanism.
Expert Analysis from Cybersecurity Authorities
Dr. Sarah Chen, Director of Mobile Security at the MITRE Corporation, contextualized the discovery. “This MediaTek vulnerability represents a paradigm shift in mobile cryptocurrency threat models,” Chen stated in an interview on March 12. “We’ve traditionally focused on remote software exploits. CVE-2025-20435 demonstrates that hardware trust anchors in budget and mid-range SoCs can become single points of failure. Users must reassess the practice of storing any cryptographic secret on general-purpose mobile devices.” MediaTek issued an official statement acknowledging the flaw and confirming they have provided firmware mitigation to device partners. However, the company noted that deployment depends on individual manufacturers’ update schedules, leaving many devices unprotected for months.
Historical Context of Hardware Wallet Vulnerabilities
The Ledger Donjon discovery follows a concerning trend of hardware-based vulnerabilities targeting cryptocurrency systems. In 2023, researchers at Samsung disclosed a similar secure element flaw in certain Exynos chips. The MediaTek vulnerability, however, is notable for its speed and simplicity. The table below compares recent significant hardware vulnerabilities affecting cryptocurrency storage.
| Vulnerability | Year Discovered | Affected Platform | Primary Risk |
|---|---|---|---|
| CVE-2025-20435 (MediaTek) | 2026 | Android Smartphones | Physical seed extraction from powered-off devices |
| Spectre V2 (CVE-2022-0001) | 2022 | Intel/AMD CPUs | Remote timing attacks on encryption keys |
| Exynos S7 Secure Element Flaw | 2023 | Samsung Phones | Fault injection to extract keys |
| STMicroelectronics Secure MCU Glitch | 2024 | Automotive & IoT | Side-channel attack on key generation |
Mitigation Strategies and Industry Response
Ledger Donjon recommends immediate action for users of potentially affected devices. The primary mitigation is to transfer all cryptocurrency assets to a wallet generated on a known-secure device, preferably a dedicated hardware wallet. Users should never store seed phrases or private keys in digital form on smartphones, even in encrypted apps. Instead, experts advocate for physical, offline storage like metal seed plates. The broader cryptocurrency industry has reacted swiftly. The Blockchain Security Alliance, a consortium of major exchanges and wallet providers, issued a security bulletin on March 13 urging users to verify their device’s chipset and manufacturer update status. Major Android wallet apps are preparing in-app warnings for users detected on vulnerable hardware.
Manufacturer and Community Reactions
Device manufacturers have begun responding unevenly. Xiaomi announced on March 12 that it would prioritize firmware updates for its Redmi Note series devices within 90 days. Realme and Oppo have yet to publish concrete timelines. The cryptocurrency community on platforms like Reddit and X has expressed significant concern, with many users reporting immediate asset migration. This incident has reignited debates about the security suitability of mobile devices for managing non-custodial cryptocurrency wallets, potentially accelerating adoption of air-gapped signing devices.
Conclusion
The discovery of CVE-2025-20435 by Ledger Donjon exposes a critical weakness in the hardware foundation of millions of Android devices. This MediaTek vulnerability allowing Android wallet seed extraction in under 45 seconds fundamentally alters the security calculus for mobile cryptocurrency management. While the immediate risk requires users of affected devices to migrate assets, the long-term implication is clearer industry scrutiny of hardware security in budget consumer electronics. As of March 13, 2026, the race is on between manufacturers deploying firmware patches and users securing their assets. The incident underscores the non-negotiable principle: seed phrases belong offline, never on general-purpose computing devices, regardless of perceived security.
Frequently Asked Questions
Q1: How can I check if my Android phone has a vulnerable MediaTek chip?
Use an app like CPU-Z or Device Info HW to identify your device’s chipset. If it lists a MediaTek Dimensity 700, 800, 900 series, Helio G95, or P90, your device is potentially vulnerable. Contact your manufacturer for firmware update information.
Q2: Does this vulnerability affect iPhones or devices with Qualcomm Snapdragon chips?
No. The CVE-2025-20435 vulnerability is specific to certain MediaTek system-on-chip designs. Apple’s iPhones use Apple-designed chips, and Qualcomm Snapdragon platforms use different secure boot architectures not currently known to be affected.
Q3: What is the timeline for manufacturers to release protective firmware updates?
As of March 13, 2026, MediaTek has provided patches to device makers. Deployment timelines vary by manufacturer. Xiaomi has committed to updates within 90 days for selected models. Other brands have not announced public timelines, which could take six months or longer for some devices.
Q4: If I use a software wallet on my phone, am I automatically at risk?
You are at risk if you have ever typed or stored your wallet’s seed phrase or private key on the vulnerable device. The exploit extracts data from storage. If you only use the wallet app for transactions and have never entered the seed on that device, your seed remains safe elsewhere.
Q5: How does this discovery affect the broader Android security ecosystem?
This flaw highlights systemic risks in the complex Android supply chain, where chipmakers, device manufacturers, and Google coordinate security. It pressures manufacturers to accelerate firmware updates and may lead to more rigorous hardware security standards for devices marketed for financial use.
Q6: What should a cryptocurrency user with an affected device do right now?
Immediately transfer all assets to a new wallet created on a verified secure device, such as a dedicated hardware wallet or a brand-new, fully updated smartphone with a non-MediaTek chip. Never store the new seed phrase digitally. Monitor your manufacturer’s website for security updates, but assume the device is compromised until proven otherwise.
