Ledger Researchers Expose Android Flaw Enabling Wallet Seed Theft in Seconds

Ledger’s Donjon security team has identified a critical vulnerability in MediaTek chips that allows attackers with physical access to an Android device to extract PINs and wallet seed phrases in under 60 seconds by exploiting the processor’s boot ROM.

The flaw, which affects approximately 25 percent of Android devices including the Solana Seeker phone, resides in unpatchable factory-burned code and enables attackers to achieve EL3 privilege—the highest level of control on ARM architecture—through precisely timed voltage glitches.

Boot ROM Vulnerability Technical Details

Unpatchable Hardware Flaw

The vulnerability exists in the boot ROM of MediaTek’s Dimensity 7300 chip, code that is physically burned into the processor during manufacturing and cannot be modified or patched after the device leaves the factory. Ledger’s researchers discovered that electromagnetic pulses and perfectly timed voltage glitches can force the processor to skip its own security checks during the startup sequence.

Once the glitch succeeds, the attacker achieves EL3 privilege—the highest possible level of control on ARM architecture—granting full access to the device’s protected data. In testing, Ledger’s team accomplished this in approximately one second per attempt.

Data Partition Decryption

With EL3 access, attackers can decrypt the entire data partition offline, bypassing Android’s full-disk encryption and the protections normally provided by the trusted execution environment. This exposes private keys, PINs, wallet seed phrases, and any other sensitive information stored on the device.

The exploit can be executed by connecting a targeted phone via USB before the operating system loads, extracting cryptographic keys protecting Android’s encryption, and then decrypting storage offline—all without requiring any software-based compromise.

Affected Devices and Industry Impact

Scope of Vulnerability

MediaTek chips are used in approximately 25 percent of Android devices globally, primarily in mid-range smartphones from manufacturers across the ecosystem. The Solana Seeker phone, a blockchain-focused device designed for crypto applications, is among the affected models.

The vulnerability was reported to MediaTek in May 2025. The chip manufacturer’s response reportedly characterized physical attacks as outside their primary security concern, though a software workaround is scheduled for inclusion in the March 2026 Android Security Bulletin.

Threat Model Implications

Ledger Chief Technology Officer Charles Guillemet emphasized that the research proves “what we’ve long warned: smartphones were never designed to be vaults.” He noted that while patches can address some security issues, “it shows the challenge of storing secrets on non-secure devices. If your crypto sits on a phone, it’s only as safe as the weakest link in that phone’s hardware, firmware, or software.”

Rising Threat to Mobile Wallets

Crypto Theft Trends

The vulnerability disclosure comes amid escalating attacks targeting user wallets. Infrastructure attacks—including private key thefts, seed phrase heists, and front-end hijacks—accounted for more than 80 percent of the $2.1 billion stolen in the first half of 2025, according to blockchain intelligence firm TRM Labs.

Full-year losses from crypto theft exceeded $3.41 billion in 2024, Chainalysis data shows. The blockchain intelligence firm noted a significant shift in attack patterns, with personal wallet compromises growing from 7.3 percent of total stolen value in 2022 to 44 percent in 2024, affecting more than 158,000 cases.

Proof of Concept

In Ledger’s proof-of-concept testing, the exploit successfully recovered sensitive wallet data from multiple applications including Trust Wallet, Kraken Wallet, and Phantom, demonstrating that no app-level security can protect users when the underlying hardware foundation is compromised.

Mitigation and Recommendations

Limited Patching Options

Because the flaw resides in hardware ROM, no software patch can fully remediate the vulnerability for devices already in circulation. The upcoming Android Security Bulletin will include a software workaround, but devices remain exposed to physical attackers with the necessary equipment and expertise.

Hardware Wallet Recommendation

Ledger advises users storing significant cryptocurrency value on mobile wallets to transfer funds to dedicated hardware wallets immediately. The company’s security team emphasized that phones were never architected as secure vaults and that this vulnerability exposes the fundamental limitations of mobile devices for high-value crypto storage.

Industry Implications

The disclosure raises fundamental questions for mobile-first crypto projects about whether consumer smartphones can serve as secure foundations for digital asset storage. As personal wallet theft becomes an increasingly dominant attack vector, the viability of phone-based crypto storage faces growing scrutiny.

FAQ: MediaTek Android Vulnerability

Q: Which devices are affected by this vulnerability?

A: The flaw affects Android devices using MediaTek Dimensity 7300 chips, representing approximately 25 percent of Android phones. Affected devices include mid-range smartphones from multiple manufacturers and the Solana Seeker crypto-focused phone.

Q: Can this vulnerability be patched?

A: No, because the vulnerability resides in the boot ROM—code permanently burned into the chip during manufacturing—it cannot be modified or patched. A software workaround will be included in the March 2026 Android Security Bulletin, but the underlying hardware flaw remains.

Q: How quickly can an attacker extract wallet data?

A: In Ledger’s testing, the exploit achieved EL3 privilege in approximately one second per attempt. From there, the entire data partition can be decrypted offline, exposing private keys, PINs, and seed phrases in under 60 seconds total.

Q: What wallets were vulnerable in testing?

A: Ledger’s proof-of-concept successfully extracted sensitive data from Trust Wallet, Kraken Wallet, and Phantom, demonstrating that the vulnerability bypasses app-level security to access protected storage.