**Hacker Pranks: "Smartphones are Never Secure": Vulnerability Exposes Over 1 Billion Android Devices**
A recent discovery by Ledger's white-hat hacking team, the Donjon, has shed light on a critical vulnerability in MediaTek-powered Android smartphones that allows attackers to access sensitive data, even when the device is switched off. This exploit affects devices using Trustonic's Trusted Execution Environment alongside MediaTek processors, found in approximately one in four Android smartphones worldwide.
The Donjon team was able to bypass the Android operating system completely and recover the PIN, decrypt storage, and extract seed phrases from multiple crypto wallets on a Nothing CMF Phone 1 in under a minute. This vulnerability (CVE-2025-20435) highlights the risks inherent in relying on mobile devices to store private data, including crypto wallets and other sensitive information.
**How Hackers Can Steal PINs and Private Data**
The Donjon team discovered that attackers can connect a powered-down phone through USB and retrieve root cryptographic keys before the operating system loads. These keys allow offline decryption of storage and brute-forcing of the device PIN, exposing application data, including messages, photos, and wallet information.
This zero-click attack reveals that Android smartphones frequently lack sufficient hardware and firmware protections to secure sensitive user information against advanced exploits. The Donjon team's research proves what Ledger has long warned: "smartphones were never designed to be vaults."
**The Risks of Hardware-Based Attacks**
Users should be aware that even modern business smartphones carry inherent security risks, and hardware, firmware, or software flaws can expose sensitive data without warning. Sensitive business or personal data should not be considered secure on mobile phones, and reliance on these devices alone for storing assets is inherently risky.
Ledger's Chief Technology Officer, Charles Guillemet, emphasized the importance of updating with the latest security fixes: "This research proves what we've long warned... While this can be patched, and we encourage all users to update with the latest security fixes." Users should immediately install security updates to mitigate potential attacks.
**What Manufacturers Can Do**
Mediatek confirmed that it delivered updates to OEMs on January 5, 2026, and the vulnerability was publicly disclosed on March 2, 2026. Ledger disclosed this vulnerability to MediaTek and Trustonic under the standard 90-day disclosure process, providing time for security patches to reach affected OEMs.
Users should note that firmware capable of being upgraded remains critical for patching zero-day exploits effectively. Manufacturers must prioritize updating their devices with the latest security fixes to prevent attacks.
**Conclusion**
The Donjon team's discovery highlights the risks inherent in relying on mobile devices to store private data, including crypto wallets and other sensitive information. Users should be aware that even modern business smartphones carry inherent security risks, and hardware, firmware, or software flaws can expose sensitive data without warning.
Immediate patching is the only practical defense against advanced threats, emphasizing the importance of keeping software up-to-date and being cautious when storing sensitive data on mobile devices.