Ledger’s Donjon security research team disclosed a critical vulnerability in MediaTek processors on March 11, 2026. The flaw lives in MediaTek’s secure boot chain, the low-level process that initializes a device before the operating system loads. Researchers found that an attacker with physical access and a USB cable could extract encryption keys from the device before Android even starts. Those keys allow full decryption of the device’s storage and enable PIN brute-forcing. Ledger CTO Charles Guillemet was direct: “Smartphones were never designed to be vaults.”
The Ledger Donjon plugged a Nothing CMF Phone 1 into a laptop and breached the phone’s foundational security within 45 seconds.
— Charles Guillemet (@P3b7_) March 11, 2026
This has the potential to affect millions of Android smartphones using Trustonic’s TEE and MediaTek processors.
How the Attack Works
The attack requires no screen unlock, no operating system boot, and no special software on the target device. An attacker connects a laptop to the phone via USB before the OS loads, then exploits the vulnerable boot chain to pull cryptographic keys. With those keys, the attacker decrypts the phone’s storage offline and brute-forces the PIN to access wallet data. In proof-of-concept testing on a Nothing CMF Phone 1, researchers completed the full extraction in roughly 45 seconds. Some variants of the technique also use electromagnetic fault-injection to gain the highest ARM privilege level, giving the attacker complete device control.
This research highlights a fundamental architectural difference: General-purpose chips are built for convenience. Secure Elements are built for key protection. A dedicated Secure Element isolates secrets from the rest of the system, protecting them even under physical attack.
— Charles Guillemet (@P3b7_) March 11, 2026
Affected Devices and Wallets
The vulnerability affects devices using MediaTek chips paired with Trustonic’s Trusted Execution Environment (TEE). Researchers estimate that approximately 25% of Android phones globally fall within this scope. Manufacturers with affected devices include Samsung, Motorola, Xiaomi, POCO, Realme, Vivo, OPPO, Tecno, and iQOO. In testing, Ledger’s team successfully extracted seed phrases from Trust Wallet, Kraken Wallet, Phantom, Base Wallet, Rabby, and Tangem’s mobile wallet. The attack worked against every tested wallet because the flaw sits at the hardware layer, below where any wallet software can defend itself.
“Smartphones were never designed to be vaults”
-Ledger CTO Charles Guillemet
The Solana Seeker Problem
One device faces particular scrutiny in the disclosure: the Solana Seeker. The Seeker is a crypto-focused Android smartphone with a built-in wallet, marketed specifically for blockchain users. It uses the MediaTek Dimensity 7300 chip, which researchers identify as vulnerable. Because the Seeker stores private keys directly on the device by design, it concentrates risk in exactly the way this exploit targets. This disclosure arrives at an uncomfortable moment, as the Seeker was positioned as a secure, purpose-built device for the on-chain audience.
Responsible Disclosure and Patches
Ledger followed a 90-day responsible disclosure process before going public. The team notified MediaTek and Trustonic of the vulnerability, giving both companies time to respond. MediaTek issued a patch to device manufacturers on January 5, 2026, and the March 2026 Android Security Bulletin included a workaround. However, no complete list of affected device models has been released. Users must wait for their specific manufacturer to push the update, and many budget and mid-range phones on affected chips may never receive it.
What Users Should Do
The most immediate step is applying any pending Android security updates. If your phone uses a MediaTek processor and has not received the March 2026 security patch, treat it as an elevated risk for storing crypto wallet data. Ledger’s broader point is structural: consumer smartphones are not designed as secure key stores, and this flaw illustrates why. Hardware wallets use purpose-built secure element chips that isolate private keys in a way consumer phone hardware cannot match. For anyone holding meaningful crypto value, this disclosure reinforces why dedicated hardware remains the more defensible choice.
*Disclaimer: News content provided by Genfinity is intended solely for informational purposes. While we strive to deliver accurate and up-to-date information, we do not offer financial or legal advice of any kind. Readers are encouraged to conduct their own research and consult with qualified professionals before making any financial or legal decisions. Genfinity disclaims any responsibility for actions taken based on the information presented in our articles. Our commitment is to share knowledge, foster discussion, and contribute to a better understanding of the topics covered in our articles. We advise our readers to exercise caution and diligence when seeking information or making decisions based on the content we provide.
