Ledger said on Wednesday, March 11, that it has discovered a vulnerability that could affect as much as 25% of Android phones, letting hackers steal users’ private keys, according to a press release shared with The Defiant.
The hardware wallet company’s in-house white-hat security team, the Donjon, has disclosed a critical vulnerability in Android smartphones powered by MediaTek chips that allows an attacker to extract user data — including wallet seed phrases and PINs — in under a minute, even when the phone is off.
In a proof-of-concept test, the Donjon plugged a Nothing CMF Phone 1 into a laptop and, within 45 seconds, was able to recover the device’s PIN, decrypt its storage, and extract seed phrases from six major crypto wallet apps: Trust Wallet, Base, Kraken Wallet, Rabby, tangem, and Phantom.
Before the operating system of the MediaTek-powered Android device even loads, Ledger’s security team found that an attacker can connect over USB and steal the root cryptographic keys that ensure the phone’s full-disk encryption, per the release. The phone’s data can than be fully decrypted offline.
The vulnerability could affects phones using Trustonic’s Trusted Execution Environment (TEE), the release said, including the Solana Seeker phone.
“Smartphones were never designed to be vaults,” said Charles Guillemet, Ledger’s CTO, adding:
“If your crypto sits on a phone, it’s only as safe as the weakest link in that phone’s hardware, firmware, or software.”
Following the standard 90-day responsible disclosure process, Ledger said it reported the flaw to both MediaTek and Trustonic. MediaTek confirmed it delivered a fix to affected original equipment manufacturers in January.
Ledger advised users of potentially affected Androids to install the latest security updates immediately.
The news comes crypto-related theft has been on the rise. As The Defiant reported, 2025 was a record year for crypto crime, with North Korea alone stealing roughly $2 billion — including the $1.5 billion Bybit hack, the largest hack on record.
But the threat isn’t limited to centralized exchanges. In December, Trust Wallet confirmed $7 million was stolen via a malicious Chrome extension update that harvested seed phrases directly from users’ browsers. Hackers have also reportedly been increasingly using AI tools and phishing-as-a-service infrastructure to increase the number of attacks.
This article was written with the assistance of AI workflows. All our stories are curated, edited and fact-checked by a human.