Security researchers say a critical flaw in android phones running MediaTek chips with Trustonic’s Trusted Execution Environment can let an attacker unlock a device in under a minute. The vulnerability, tracked as CVE-2026-20435, was shown by Ledger’s Donjon research team on a MediaTek-powered CMF Phone 1 that was connected over USB and breached in 45 seconds. The exploit recovers the device PIN, extracts root keys and wallet seed phrases and can decrypt storage before Android fully boots, leaving encrypted data exposed if the handset is physically accessed.
Android Phones: How the exploit works
The flaw targets certain MediaTek system-on-a-chip designs that rely on Trustonic’s Trusted Execution Environment (TEE) for key protection. Researchers demonstrated an attack that requires physical access and a USB connection to a laptop; the exploit runs without ever booting the Android operating system and can automatically recover the handset PIN, decrypt full‑disk storage and extract seed phrases from software wallets. The exploit is reported as CVE-2026-20435 and was shown to extract the root keys that protect full‑disk encryption before Android reaches a secure state.
That may sound limited to specific hardware, but the problem affects a broad slice of the market: the weakness is present in MediaTek chips used across multiple price tiers and, as described in technical summaries, could touch about one in four android phones, mostly lower-cost models. Because the attack operates prior to normal OS protections taking effect, the usual safety net of lock screen and full‑disk encryption does not stop this exploit on affected devices.
Immediate reactions
Charles Guillemet, Chief Technology Officer at Ledger, described the demonstration in direct terms: “The Ledger Donjon plugged a CMF Phone 1 into a laptop and breached the phone’s foundational security within 45 seconds. ” Guillemet added a design critique that frames the risk: “General-purpose chips are built for convenience. Secure Elements are built for key protection. “
MediaTek has provided firmware fixes to device manufacturers; the company confirmed it supplied those fixes on January 5, 2026 (ET). Device makers must bundle MediaTek’s corrections into phone updates before end users receive patches, and the speed of that rollout depends on each manufacturer’s update cadence and whether a device has reached end-of-life support.
Context and what happens next
The exploit was shown on a MediaTek-powered CMF Phone 1 and requires physical access to the handset. Researchers demonstrated that connecting a vulnerable phone to a laptop over USB is sufficient to run the exploit sequence, which then extracts PINs, root keys and wallet seed phrases without booting Android. MediaTek’s fixes are available to manufacturers, but users will only be protected once their phone makers publish and users install security updates; depending on the model and its support status, that can take days or, for some devices, much longer or never.
Users of affected android phones should watch for security updates from their phone makers, apply patches as soon as they are available, and keep devices physically secure while vendors roll out fixes. Manufacturers and hardware teams are expected to continue distributing firmware updates and advisories; investigators and device makers will likely publish further technical guidance and lists of affected chipsets as updates are issued.
