Ledger Donjon exposed a MediaTek vulnerability that extracts Android wallet seed phrases in under 45 seconds, affecting millions of devices. CVE-2025-20435.
Ledger Donjon has uncovered a serious MediaTek vulnerability. It lets attackers pull wallet seed phrases from Android phones in seconds. The phone does not even need to be on.
Charles Guillemet, posting as @P3b7_ on X, broke the findings publicly. He confirmed that @DonjonLedger had once again discovered a flaw with serious reach. According to Guillemet on X, user data, including PINs and seed phrases, can be extracted in under a minute, even from a powered-off device.
The scale here matters. Millions of Android phones run MediaTek processors. Trustonic’s Trusted Execution Environment is also caught in this.
Your Phone Off Means Nothing Now
As Guillemet tweeted on X, the Ledger Donjon team plugged a Nothing CMF Phone 1 into a laptop. Within 45 seconds, the phone’s foundational security was gone. No complicated setup. No special hardware. Just a laptop connection and a timer.
Worth a read: Crypto security threats are rapidly escalating heading into 2026
The exploit never even touched Android. As Guillemet posted on X, the attack automatically recovered the PIN, decrypted device storage, and pulled seed phrases from the most popular software wallets. All before the operating system loaded.
That is not a small gap. That is a structural failure.
The Chip Architecture Problem Nobody Wanted to Admit
General-purpose chips trade security for speed and ease. Guillemet made that point directly in his X thread. A dedicated Secure Element keeps secrets isolated from everything else on the device. MediaTek chips were not built that way. Trustonic’s TEE sits inside the same chip handling everyday tasks. Physical access collapses that boundary.
You might also like: How 2025 became crypto’s most damaging year for security
This is not the first time researchers have questioned smartphone security for crypto users. It keeps coming back to the same architecture gap. Convenience chip versus security chip. They are not the same thing.
Responsible Disclosure, Then the Fix
Ledger Donjon did not release this publicly without warning. As Guillemet confirmed on X, the team followed a strict responsible disclosure process with all relevant vendors. MediaTek confirmed it provided a fix to OEMs on January 5, 2026. The vulnerability is now publicly listed as CVE-2025-20435.
Must read: Ledger eyes New York listing as crypto wallet hacks surge
OEMs received the fix. Whether those patches reached end users is another question entirely. Android fragmentation is a real problem. Older devices from smaller manufacturers often sit unpatched for months.
Why Software Wallets Took the Hit
Seed phrases stored on a software wallet live inside the device. They depend entirely on the security of the chip underneath. When that chip fails, everything above it fails too.
Guillemet’s thread on X closed with clarity on motive. The research was not done to create fear. It was done so the industry could fix the vulnerability before attackers got there first. That window is now closed, at least for this specific flaw.
Related: Cross-platform wallet drainers are getting harder to detect
Software wallets on Android have always carried this risk. The MediaTek vulnerability just put a number on it. Forty-five seconds. That is all it took.
#Ledger #Donjon #Finds #MediaTek #Flaw #Exposing #Android #Wallet #Seeds
