Ledger Researchers Find MediaTek Android Flaw That Could Expose Crypto Wallet Seed Phrases — Here’s Why It's Concerning
Share
Key Takeaways
The CVE-2025-20435 exploit requires no malware, no internet connection, and no password.
MediaTek powers a huge share of the global Android market, particularly in mid-range and budget devices popular across Asia, Latin America, and Africa.
Unlike some hardware-level flaws, this vulnerability can be fixed through firmware updates.
If your device no longer receives security patches, treat any crypto stored on it as at risk and move assets to a more secure solution.
Imagine handing your phone to a stranger for 45 seconds and walking away with an empty crypto wallet. That terrifying scenario is no longer hypothetical.
Ledger’s internal security research team, known as Donjon, has uncovered a critical vulnerability in Android devices powered by MediaTek processors – a flaw that could allow an attacker to extract a device’s PIN, decrypt its storage, and steal seed phrases from major cryptocurrency wallets, all without ever booting the phone’s operating system.
The vulnerability has been formally catalogued as CVE-2025-20435, and its implications for the roughly one in four Android users who may be affected are deeply unsettling.
Some Android phones can be fully decrypted in ~45 seconds.
Researchers from @Ledger Donjon team discovered a flaw in parts of MediaTek’s secure boot chain.
With physical access and just a USB cable, attackers can:
What Is the MediaTek Android Security Flaw Discovered by Ledger?
At the heart of this vulnerability is a weakness in MediaTek’s secure boot chain, the sequence of checks a device performs before the operating system loads. Normally, this process acts as a gatekeeper, ensuring that only trusted, verified software runs on the device from the moment it powers on. In the affected MediaTek chips, however, this gatekeeper can be bypassed.
An attacker with physical access to a phone can connect it via USB before the operating system loads, extract the cryptographic keys protecting Android’s full-disk encryption, and then decrypt the storage offline. In other words, the attack doesn’t require the phone to be unlocked, logged into, or even running. The device just needs to be physically in the attacker’s hands.
Without booting Android, the exploit cracked the PIN, decrypted the phone, and pulled seed phrases from popular wallets. | Source: @P3b7_ on X.
45-Second Exploit Demonstration
Ledger’s Donjon team demonstrated the flaw by connecting a Nothing CMF Phone 1 to a laptop and compromising the device’s security in under 45 seconds. Without ever booting into Android, the exploit automatically recovered the phone’s PIN, decrypted its storage, and extracted seed phrases from several major crypto wallets, including:
Trust Wallet
Base
Kraken Wallet
Rabby
Tangem’s mobile wallet
Phantom
The speed and simplicity of the attack are what make this particularly alarming. No sophisticated social engineering. No malware installation. Just a USB cable and under a minute of access.
Which Android Devices and Users Are Affected by CVE-2025-20435?
The scale of potential exposure is enormous. The flaw may affect around 25 percent of Android smartphones using MediaTek chips and Trustonic’s Trusted Execution Environment. MediaTek is one of the world’s most prolific chipmakers, powering hundreds of mid-range and budget Android devices sold globally.
Devices from major brands such as Samsung, Motorola, Xiaomi, OPPO, and Vivo incorporate these chips. The crypto-focused Solana Seeker also uses MediaTek hardware, although it remains unclear which specific models beyond the Nothing CMF Phone 1 are confirmed as vulnerable.
This isn’t just a niche problem affecting budget handsets. Mid-range MediaTek-powered phones are extraordinarily popular across Asia, Latin America, and Africa – regions where crypto adoption is growing the fastest. The intersection of widespread chipset usage and surging crypto uptake in developing markets creates a particularly dangerous exposure window.
Why Crypto Wallet Seed Phrases Are the Ultimate Target
To understand why this flaw is so devastating for crypto users, you need to understand what a seed phrase, also called a mnemonic or recovery phrase, actually is. Typically a sequence of 12 to 24 random words, the seed phrase is the master key to a crypto wallet. Anyone who possesses it gains complete, irrevocable control over every asset held in that wallet – no password, no 2FA, no secondary confirmation required.
With access to a wallet mnemonic or seed phrase, attackers can fully control a crypto wallet and transfer funds without ever needing the device again.
Software wallets on phones, like the ones demonstrated in Ledger’s research, store these seed phrases within the device’s encrypted storage, trusting that the encryption itself provides sufficient protection. The MediaTek flaw demolishes that assumption entirely, extracting the seed before the phone’s defenses ever get a chance to engage.
Why This Vulnerability Matters in the Context of the Broader Crypto Theft Crisis
This discovery doesn’t exist in a vacuum. It arrives amid a dramatic escalation in crypto theft targeting individual users. Infrastructure attacks, including private-key thefts, seed-phrase heists, and front-end hijacks – accounted for more than 80% of the $2.1 billion stolen in the first half of 2025, according to blockchain intelligence firm TRM Labs.
The trend is worsening over time. Losses from crypto asset theft exceeded $3.41 billion for the full year of 2024, with the proportion of individual wallet thefts rising from just 7.3% in 2022 to a staggering 44% by 2024. Attackers are increasingly skipping exchanges and protocols entirely, going straight for the individual user and the phone in their pocket.
How Ledger’s Donjon Team Disclosed the MediaTek Vulnerability
Donjon discovered the vulnerability while conducting research into Android’s flash encryption security. Ledger reported the flaw to MediaTek and mobile security company Trustonic under a 90-day responsible disclosure policy. MediaTek reportedly provided a patch to device manufacturers in January, though the company did not publicly acknowledge the issue until March.
This responsible disclosure process, where researchers privately alert vendors before going public, is considered best practice in the cybersecurity world. It gives manufacturers time to develop and distribute fixes before the vulnerability can be weaponised at scale. Patch distribution for Android devices varies by manufacturer and model, often depending on the original equipment manufacturer integrating vendor fixes into firmware and security releases.
It’s also worth noting this isn’t Ledger Donjon’s first rodeo. In a separate finding, researchers discovered that the MediaTek Dimensity 7300 chip had a hardware weakness allowing attackers to bypass security checks using electromagnetic fault injection – a flaw that cannot be fixed via software updates because it exists at the hardware level. The current CVE-2025-20435 vulnerability, by contrast, is firmware-based and can be patched.
How to Protect Your Crypto Wallet From the MediaTek Android Flaw
The flaw highlights a critical risk for Android users storing cryptocurrency on mobile devices without additional security protections. Here’s how you can protect your crypto wallet:
Immediate Steps Every Affected User Should Take
The most immediate action any affected user can take is to update their device’s firmware and security patches. Ledger urged users of affected phones to install the latest available security updates, and argued that upgradeable firmware is fundamental to long-term device security.
Why Hardware Wallets Offer Superior Protection Against This Class of Attack
Beyond patching, the deeper lesson here is about crypto custody philosophy. Ledger CTO Charles Guillemet put it plainly: smartphones were never designed to be vaults. If your crypto sits on a phone, it is only as safe as the weakest link in that phone’s hardware, firmware, or software stack.
🚨 @DonjonLedger has struck again discovering a MediaTek vulnerability potentially impacting millions of Android phones. Another reminder that smartphones aren’t built for security. Even when powered off, user data – including pins & seeds – can be extracted in under a minute.
Hardware wallets – dedicated, air-gapped devices built specifically to store cryptographic secrets – remain significantly more resistant to this class of attack. The seed phrase never leaves the device in an extractable form, and there is no general-purpose operating system to exploit.
However, hardware wallets are not completely immune to security incidents. For example, in June 2020, an unauthorized third party exploited a misconfigured API key to gain access to Ledger’s e-commerce and marketing database. The breach exposed roughly 1 million email addresses, with a subset of about 272,000 to 292,000 customers having more sensitive personal information leaked, including full names, physical addresses, and phone numbers.
This breach fueled long-lasting, sophisticated phishing campaigns, with some users receiving threats of violence and physical letters to their homes.
These incidents highlight an important reality: hardware wallets significantly reduce the risk of remote key theft, but security still depends on the surrounding ecosystem — software tools, supply chains, and user behavior. Even with the strongest device, users must protect their recovery phrases, verify transaction details on the device screen, and avoid phishing attacks.
For users holding meaningful amounts of cryptocurrency, the best approach is layered security: use a hardware wallet for long-term storage while treating seed phrases and recovery backups as highly sensitive secrets.
Your Phone Was Never a Vault
The MediaTek flaw discovered by Ledger’s Donjon team is a stark reminder that the security of your digital assets is only as strong as the most vulnerable component in your setup.
A powerful exploit, a USB cable, and 45 seconds are all it takes to drain a wallet. As crypto adoption grows and attackers grow bolder, the cost of keeping your seed phrase on a general-purpose smartphone has never been higher.
Patch your device today. And seriously consider whether your phone is the right place to be keeping your life savings.
How do I know if my Android phone is affected by the MediaTek CVE-2025-20435 flaw?
If your Android device uses a MediaTek processor paired with Trustonic’s Trusted Execution Environment, it may be vulnerable. Brands confirmed to use affected MediaTek chips include Samsung, Motorola, Xiaomi, OPPO, and Vivo. The Nothing CMF Phone 1 was the device used in Ledger’s demonstration. Check your phone’s settings under “About Device” to identify your chipset, and visit your manufacturer’s security patch page to confirm whether a fix has been issued for your specific model.
Does this flaw mean my crypto wallet has already been hacked?
Not necessarily. The attack requires physical access to your device, someone needs to actually have your phone in their hands and connect it via USB to exploit the vulnerability. If your device has not left your possession and you have applied the latest security updates, your risk remains low. However, if your phone has been lost, stolen, or left unattended for any period of time, you should treat your seed phrase as potentially compromised and consider moving your funds to a new wallet immediately.
Will updating my phone fully fix the vulnerability?
For most users, yes – CVE-2025-20435 is a firmware-level flaw, which means it can be patched through software updates, unlike hardware-based vulnerabilities. However, the timing and availability of patches depend entirely on your device manufacturer. Some brands push security updates quickly; others lag significantly behind. If your phone is older or no longer receives security updates, you may never receive a fix and should consider migrating your crypto assets to a hardware wallet as a priority.
Are hardware wallets like Ledger itself immune to this type of attack?
Hardware wallets are far more resistant to this class of attack because they are purpose-built security devices with no general-purpose operating system to exploit. Seed phrases stored on a hardware wallet never leave the device in an extractable form, even when connected to a compromised computer or phone. While no device is completely immune to every possible attack vector, a hardware wallet eliminates the specific weaknesses – Android’s encryption layer, MediaTek’s boot chain – that make this exploit possible on smartphones.
Disclaimer:
The information provided in this article is for informational purposes only. It is not intended to be, nor should it be construed as, financial advice. We do not make any warranties regarding the completeness, reliability, or accuracy of this information. All investments involve risk, and past performance does not guarantee future results. We recommend consulting a financial advisor before making any investment decisions.
Onkar Singh has three years of experience as a digital finance content creator. Throughout his career, he has collaborated with various DeFi projects and crypto media outlets. In his leisure time, he enjoys fitness activities at the gym and watching movies across different genres. Balancing his professional and personal interests, Onkar continues to contribute to the digital finance landscape while pursuing his hobbies.
Easy 
