Security researchers at Ledger have discovered a major flaw in some Android smartphone chips that lets an attacker siphon encrypted user data like passwords and private keys in a matter of seconds using just a USB connection.
Summary
- Ledger’s Donjon security team discovered a vulnerability in MediaTek and Trustonic TEE chips that could allow attackers to extract encrypted data from Android phones in under 45 seconds.
- The exploit bypasses the secure boot chain before Android loads, allowing attackers to recover the device PIN, decrypt storage and extract seed phrases from popular wallets.
The vulnerability was first spotted in January by Ledger’s internal security research team, Donjon, Ledger Chief Technology Officer Charles Guillemet wrote in a recent X post.
According to Guillemet, the vulnerability affected smartphones powered by MediaTek and Trustonic’s TEE processors.
MediaTek has since issued a security patch to fix the issue; users who have not installed the latest security updates on their devices may still remain at risk.
White hat hackers were able to penetrate a smartphone from manufacturer Nothing, notably the company’s CMF 1 phone, in under 45 seconds using a laptop.
“Without ever even booting into Android, the exploit automatically recovered the phone’s PIN, decrypted its storage, and extracted the seed phrases from the most popular software wallets,” Guillemet said.
This puts software wallets like Trust Wallet, Base, Kraken Wallet, Rabby, Tangem’s mobile wallet, and Phantom at risk, as the seed phrases and other sensitive credentials are stored locally on the device.
In their report, researchers noted that the vulnerability allowed attackers with physical access to bypass the phone’s security protections through the secure boot chain, which is a core startup process that runs at the highest privilege level before the operating system loads. Subsequently, the attacker can recover the device’s PIN, decrypt its storage, and extract the information.
“This has the potential to affect millions of Android smartphones,” Guillemet added.
Estimates suggest nearly 36 million people manage digital assets on their smartphones, which means that if attackers manage to exploit a vulnerability, it could put a large number of wallets at risk.
Guillemet advised using devices with dedicated secure elements that are built for key protection and can safeguard sensitive data even under physical attack.
The Ledger team also detailed a separate attack it tested on MediaTek Dimensity 7300 processors (MT6878) in December, where the team used electromagnetic fault injection to disrupt the chip’s boot process. It allowed them to bypass security checks and ultimately gain full control over the smartphone at the highest privilege level.
As covered by crypto.news on several occasions, crypto users have been targeted across multiple platforms, including iOS, macOS, and Windows.
While Android devices are often easier to compromise due to Google’s more open ecosystem and flexible app distribution model, Apple’s iOS devices have also developed unique attack vectors that target users through malicious frameworks embedded inside otherwise legitimate apps.
For instance, last year, security researchers discovered a malicious app that infiltrated both iOS and Android devices by requesting file access and subsequently scanning device storage to extract wallet data. Although not as technically severe in nature as hardware-level exploits, the scheme still managed to steal more than $1.8 million in cryptocurrency.
Around the same time, Kaspersky flagged a malware campaign that spread through malicious software development kits embedded in seemingly harmless apps.