Critical MediaTek Vulnerability Lets Attackers Steal Android Phone PINs in 45 Seconds

A critical vulnerability in the MediaTek Dimensity 7300 chipset allows a physical attacker to extract device PINs, decrypt on-device storage, and steal cryptocurrency wallet seed phrases in approximately 45 seconds, raising serious alarms for the roughly 25% of Android users whose devices rely on the affected chip.

The vulnerability uncovered by Ledger’s Donjon security research team resides in the Boot ROM of the MediaTek Dimensity 7300 (also known as MT6878) chip the very first code that executes when the device powers on, running at the highest possible hardware privilege level (EL3) before Android ever loads.

Because Boot ROM is permanently hard-coded into the processor’s silicon, the core hardware flaw cannot be eliminated through software patches.

Ledger’s researchers exploited this weakness using Electromagnetic Fault Injection (EMFI), a technique that delivers precisely timed electromagnetic pulses to the chip during boot-up to corrupt its execution flow.

By connecting to the device over USB and repeatedly triggering boot cycles while injecting faults, attackers can bypass all security layers and achieve arbitrary code execution at the chip’s highest privilege level without ever launching the Android operating system.

Proof-of-Concept: Nothing CMF Phone 1

Ledger demonstrated the attack on a Nothing CMF Phone 1 connected to a laptop via USB cable. The team breached the phone’s foundational security layer within 45 seconds, successfully recovering the device PIN, decrypting storage, and extracting seed phrases from multiple software crypto wallets.

Affected applications confirmed in testing include Trust Wallet, Kraken Wallet, Phantom, Base, Rabby, and Tangem’s Mobile Wallet, among others.

Although the per-attempt success rate is relatively low, the attack is practical because the process can be automated and repeated rapidly until a successful fault injection occurs.

Ledger’s research, which began in February 2025, achieved arbitrary code execution in early May 2025 before responsible disclosure was initiated with MediaTek’s security team.

The vulnerability affects Android phones using the MediaTek Dimensity 7300 chip in combination with the Trustonic Trusted Execution Environment (TEE), potentially impacting approximately 25% of Android devices globally.

Budget and mid-range smartphone brands confirmed in the affected device pool include Realme, Motorola, Oppo, Vivo, Nothing, and Tecno. The Solana Seeker crypto-focused smartphone also uses the same chipset.

Following Ledger’s responsible disclosure, MediaTek released a security patch in January 2026 and notified all affected OEM vendors. However, because the root cause is a hardware-level Boot ROM flaw, the patch only mitigates exploitation pathways rather than eliminating the underlying silicon vulnerability.

MediaTek previously stated that EMFI attacks are considered out of scope for the MT6878 chipset’s intended consumer use case.

Ledger’s CTO, Charles Guillemet, warned that smartphones are not meant to function as secure vaults for sensitive information. He advised users to apply security patches but emphasized the risks of storing private keys and seed phrases on regular devices.

Guillemet recommended transferring sensitive cryptocurrency assets to dedicated hardware wallets with certified security features, highlighting the gap between smartphone security and the needs of digital asset custody.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.