MediaTek TEE flaw lets attackers extract Android wallet seed phrases and PINs via USB

Published: 2026-03-12 06:54:02 |

Security researchers at Ledger’s Donjon team discovered a critical vulnerability in MediaTek chips and the Trustonic Trusted Execution Environment (TEE) that lets an attacker with physical access extract encrypted data from Android phones via USB in under 45 seconds. The exploit bypasses the secure boot chain before Android loads, allowing recovery of the device PIN, decryption of storage and extraction of seed phrases from popular mobile wallets (demonstrated targets include Trust Wallet, Base, Kraken Wallet, Rabby, Tangem Mobile Wallet and Phantom). Ledger demonstrated the attack on a Nothing CMF 1 phone and used electromagnetic fault injection on a MediaTek Dimensity 7300 (MT6878) to disrupt boot checks and gain full control. MediaTek has released a patch; unpatched devices running affected Trustonic TEE firmware remain at risk. Ledger emphasised that general-purpose smartphones are hard to secure compared with devices using isolated Secure Elements and recommended users apply vendor security updates promptly and prefer hardware with dedicated secure elements for key storage. Estimated exposure is large — millions of Android users manage crypto on phones — so traders should assume elevated risk for mobile-held keys and consider moving funds to more secure storage or hardware wallets until devices are patched.

Bearish

This vulnerability directly targets seed phrases and device PINs on Android devices, increasing the risk of immediate, irreversible asset loss for funds held in mobile software wallets. Short-term impact: heightened selling pressure and risk aversion among users who keep crypto on affected phones; some may move assets into hardware wallets or exchanges, increasing on-chain activity and potential downward pressure on smaller tokens. Long-term impact: limited — the core protocol value of major cryptocurrencies is unchanged — but sustained negative sentiment toward mobile custody could reduce retail on-chain activity and lower demand for mobile-native tokens and services. Because the exploit requires physical access and specific vulnerable hardware/firmware, the overall market-wide price shock should be contained, but assets predominantly held by retail mobile users face elevated short-term risk. Traders should consider reducing exposure to tokens stored primarily in mobile wallets, monitor patch rollout, and watch on-chain flows related to hardware wallet adoption.