A security vulnerability has been discovered in certain Android smartphones equipped with MediaTek processors, posing a risk to crypto wallets through USB access. This exploit allows attackers to extract encrypted user data in under a minute. In a demonstration, security researchers were able to compromise a Nothing CMF Phone 1 in under 45 seconds. This vulnerability could potentially expose sensitive information such as PINs and seed phrases, threatening the security of personal cryptocurrency holdings Source.
The MediaTek Android vulnerability centers on an exploit of the device’s secure boot chain, which is crucial in ensuring the safety of the booting process. This vulnerability allows attackers to connect via USB, intercept, and extract root cryptographic keys before the operating system (OS) initializes. This interception enables offline decryption of user data, meaning that encrypted information can be accessed without booting the Android OS. Importantly, this method enables the recovery of crucial security elements such as PINs, decryption of storage, and extraction of seed phrases from crypto wallets.
The vulnerability was publicly demonstrated by the security research team known as Donjon, who successfully executed the exploit on a Nothing CMF Phone 1. They managed to compromise the phone’s security in less than 45 seconds, showcasing the potential ease and speed of such attacks. The capability to perform this attack without the OS initialization underscores the severity of the threat posed to personal and financial data stored on affected devices.
Ledger disclosed the vulnerability to MediaTek and Trustonic under a 90-day responsible disclosure policy. MediaTek publicly disclosed the vulnerability earlier this month. The security research team involved in the demonstration is known as Donjon. Source: Provided Content
The Nothing CMF Phone 1 is a known device on which the vulnerability was demonstrated. Other devices using MediaTek chips include Solana Seeker and smartphones from Samsung, Motorola, Xiaomi, POCO, Realme, Vivo, OPPO, Tecno, and iQOO. It is not yet clear which other handsets may be susceptible beyond the Nothing CMF Phone 1. The exposure could extend beyond crypto wallets to messages, photos, financial information, and account credentials. Source: Provided Content
This section summarizes the disclosure timeline and lists devices known to use MediaTek chips without asserting which additional handsets are affected. It records that Ledger notified MediaTek and Trustonic under a 90-day policy and that MediaTek made a public disclosure earlier this month. The overview also notes the types of user data identified as at risk. Source: Provided Content
The Chainalysis July 2025 report found that personal wallet compromises represented 23.35% of all stolen fund activity year-to-date in 2025. The security research team responsible for the demonstration is known as Donjon, and the team also issued direct statements describing the vulnerability.
“Donjon has struck again, discovering a MediaTek vulnerability potentially impacting millions of Android phones. Another reminder that smartphones aren’t built for security.”
“Even when powered off, user data—including PINs and [seed phrases]—can be extracted in under a minute.”
Security researchers demonstrated an exploit against a Nothing CMF Phone 1 that enabled extraction of protected user information via a USB connection. The demonstration underscores potential implications for other Android devices that use MediaTek processors, while it remains unclear which additional handsets may be vulnerable. The vulnerability is associated with risk to personal data stored on affected devices, including cryptocurrency wallet credentials and other sensitive information.
