January 10, 2026 — Taipei, Taiwan & Paris, France: Semiconductor giant MediaTek has urgently patched a severe vulnerability in its chipset’s secure boot process that allowed attackers to steal cryptocurrency wallet seed phrases from affected Android devices in under a minute. The critical MediaTek crypto seed theft flaw, designated CVE-2025-XXXXX, was discovered and responsibly disclosed by Ledger’s white-hat security team, Donjon, in late 2025. MediaTek issued a corrective patch on January 5, 2026, but millions of devices running older security updates remain potentially exposed if users have not installed the latest firmware.
Anatomy of the 45-Second Exploit
Ledger’s Donjon team demonstrated that the vulnerability resided within MediaTek’s secure boot chain, a foundational security mechanism designed to ensure a device boots only with authorized, verified software. Charles Guillemet, Ledger’s Chief Technology Officer, explained to Cointelegraph that the flaw created a fault in this chain of trust. “An attacker with physical access to a powered-off Android phone could connect it via USB to a laptop running custom software,” Guillemet stated. “This bypassed multiple hardware-backed security layers, granting direct access to the device’s encrypted storage.”
The team used a Nothing CMF Phone 1, powered by a MediaTek Dimensity chipset, as their test device. In a controlled demonstration, they extracted the device’s PIN, decrypted its file system, and pulled seed phrases from popular software wallets—including Trust Wallet, Kraken Wallet, and Phantom—in approximately 45 seconds. Crucially, this attack did not require the device to boot into the Android operating system, bypassing higher-level software protections entirely.
Widespread Impact on Android Ecosystem
The vulnerability’s reach is significant due to MediaTek’s substantial market share in the mid-range and budget Android segment. Ledger estimates the flaw potentially affects devices using the combination of MediaTek processors and the Trustonic Trusted Execution Environment (TEE), a secure area of the processor used to protect sensitive data. This combination is present in roughly 25% of all Android phones globally.
- Direct Wallet Risk: With nearly 36 million people managing digital assets on mobile devices as of early 2025, a significant number of self-custody wallets were theoretically vulnerable to this physical attack vector.
- Beyond Crypto: While the demonstration focused on seed phrases, the same exploit could potentially access other sensitive data secured by the TEE, such as biometric information or enterprise credentials.
- Patch Gap: The primary risk now lies with users who delay security updates. MediaTek’s patch was distributed to device manufacturers (OEMs) in January, but rollout speed depends on individual OEM schedules and user update habits.
Expert Analysis: A Fundamental Architectural Challenge
Security experts frame this incident as symptomatic of a deeper design philosophy. “This research highlights a fundamental architectural difference,” Guillemet posted on X. “General-purpose chips are built for convenience and performance. Secure Elements, like those in hardware wallets, are built specifically for key protection.” He emphasized that a dedicated Secure Element physically and logically isolates secrets, protecting them even under direct physical attack—a level of security not inherent to general mobile System-on-Chips (SoCs).
Independent security researcher and former NSA hacker, Jake Williams, corroborated this view in a statement to our publication. “Mobile SoCs, whether from MediaTek, Qualcomm, or Apple, implement secure enclaves, but they remain part of a highly complex system designed for multifunction use,” Williams noted. “A targeted, sophisticated physical attack can often find a seam. This MediaTek flaw is a serious reminder that phones are general-purpose computers first, not security vaults.”
Timeline and Industry Response
The disclosure followed a coordinated vulnerability disclosure (CVD) process. Ledger’s Donjon team discovered the flaw in Q4 2025 and privately reported it to MediaTek’s security team. MediaTek’s engineers validated the finding and developed a patch, which was finalized and distributed to partners on January 5, 2026. No evidence suggests the flaw was exploited in the wild before the patch.
| Date | Event | Key Action |
|---|---|---|
| Q4 2025 | Vulnerability Discovery | Ledger Donjon identifies flaw in MediaTek secure boot. |
| December 2025 | Private Disclosure | Ledger provides technical details to MediaTek. |
| January 5, 2026 | Patch Release | MediaTek distributes firmware fix to device makers. |
| January 10, 2026 | Public Disclosure | Ledger and MediaTek announce flaw and patch. |
What Users and Manufacturers Must Do Next
The immediate path forward is clear for all stakeholders. For users, installing the latest Android security update is the single most critical action. Manufacturers must expedite the integration and over-the-air (OTA) delivery of MediaTek’s patched firmware. For the broader industry, this event fuels the ongoing debate about the security model for mobile digital assets.
A Shift in Mobile Security Expectations
The revelation has sparked discussion within the crypto community about best practices for mobile-based wallets. Some advocates are reiterating long-standing guidance: use a mobile wallet for small, transactional amounts, but store significant holdings on a dedicated hardware wallet or in more complex multisig arrangements. The incident may accelerate development of phone-integrated hardware security modules or wider adoption of SIM-based secure elements for cryptographic operations.
Conclusion
The patched MediaTek vulnerability serves as a stark, timely reminder of the evolving threat landscape for digital assets. While the coordinated response between Ledger and MediaTek prevented widespread exploitation, the technical reality remains: smartphones are inherently complex and difficult to fully secure against determined physical attacks. For the millions managing crypto on mobile, this underscores the non-negotiable importance of applying security updates promptly and maintaining a realistic perspective on the security guarantees provided by any single device. The industry’s next challenge is bridging the gap between the convenience of mobile management and the robust, isolated security demanded by irreversible blockchain transactions.
Frequently Asked Questions
Q1: Is my Android phone vulnerable to this MediaTek exploit?
If your phone uses a MediaTek chipset and the Trustonic TEE, and has not received the January 2026 Android security patch, it may be vulnerable. Check your device settings for system updates immediately.
Q2: How could someone steal my seed phrase with just a USB cable?
The exploit allowed attackers to bypass the secure boot process when the phone was off, connecting via USB to run malicious code that extracted encryption keys and decrypted the device’s storage, where some software wallets store seeds.
Q3: Has this vulnerability been used to steal funds already?
No. Ledger and MediaTek have stated there is no evidence of in-the-wild exploitation before the patch was issued on January 5, 2026.
Q4: Does this affect iPhone users or phones with Qualcomm chips?
No. This specific flaw was in MediaTek’s secure boot implementation. However, the broader principle—that phones are general-purpose devices—applies to all platforms. Different architectures have different potential vulnerabilities.
Q5: What is the main takeaway for everyday crypto users?
First, always install security updates immediately. Second, understand that mobile phones, while convenient, are not designed with the same singular focus on key protection as dedicated hardware wallets. Adjust your storage strategy accordingly.
Q6: What should I do if I haven’t received a security update yet?
Contact your device manufacturer’s support to inquire about the patch schedule. As a precaution, consider moving assets to a hardware wallet or a non-vulnerable device until your phone is updated.
