One-in-four Android devices has a flawed chip that can steal your PIN in less than 3 minutes
The Nothing CMF Phone 1 is among the Android models with a serous security issue.
Certain processors for Android phones contain serious security flaw. | Image by PhoneArena
Some MediaTek designed chips have been discovered to contain an extremely serious vulnerability that impacts 25% of all active Android phones. That works out to 875 million handsets that have this flaw, which reportedly can hack a phone in less than a minute. This can take place even if the phone is shut down and powered off under certain condition: the phone must be physically connected via USB while it is being powered on. This frightening and dangerous vulnerability has been assigned the Common Vulnerability and Exposures (CVE) number of CVE 2026-20435.
If your phone is powered by a flawed MediaTek chipset, you might have a serious security issue
Re-read that last paragraph. Put your hand up when you're done. Great. Now let's stop and examine what this means so far. Even if you have your phone locked and powered down, and it requires a biometric like a fingerprint, or a match of your 3D mapped facial image to unlock, there is a problem. If your phone is equipped with a flawed MediaTek chip, your security PIN and the root keys that protect encrypted content can be obtained by hackers.
If you own an affected Android phone, are you worried?
Once a hacker obtains the Root Key, he can dump whatever encrypted data you have on your phone and read it using a supercomputer. This makes your phone's Master Key vulnerable to getting "unwrapped" offline, allowing the hacker to read every file. Passwords and PINs kept in a Notes-type app are now in plain text, ending any illusion you had of privacy. Your phone could be told to accept any fingerprint or face as the correct biometric passcode for unlocking your phone.
The MediaTek Helio G99 is one of the chipsets with the flaw. | Image by Blackview
Researchers from Ledger’s Donjon Hacker Lab discovered the security flaw on several chipsets designed by MediaTek. The researchers' chilling comment notes that the flaw "allows an attacker to extract user data – including messages, photos, and even crypto wallet seed phrases – in seconds." If there is any good news in an article like this it is that MediaTek patched the flaw in January. The bad news is that thanks to the "F" word, not all Android users will receive the patch.
Here is a list of impacted MediaTek chipsets
The "F" word, when it comes to Android users, is fragmentation. Because most Android phone manufacturers don't make the software used on the same phone, there is usually a long delay between the time a new Android update is released by Google and the time it becomes available to be installed on your device. The bottom line here is that many Android phones will be vulnerable to an attack until the patch is available for your phone.
If you know which MediaTek chipset powers your phone, you can determine whether your phone is vulnerable by checking this list of affected MediaTek chipsets:
MediaTek MT6700/MT6800/MT6900 series chipsets: MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6813, MT6833, MT6853, MT6855, MT6877, MT6878, MT6879, MT6880, MT6885, MT6886, MT6890, MT6893, MT6895, MT6897, MT6983, MT6985, MT6989, MT6990, MT6993.
MediaTek MT8100/MT8600/MT8700 series chipsets: MT8169, MT8186, MT8188, MT8370, MT8390, MT8676, MT8678, MT8696, MT8793, MT2737.
A proof of concept for this vulnerability was conducted on the Nothing CMF Phone 1. Other mid-range models that use the above MediaTek chipsets include models made by Oppo, Realme, Vivo and Xiaomi. If you know which MediaTek application processor is powering your phone, you can check it against the list I've provided to see whether it is on the list. If it is, make sure that you've installed the March Android update on your phone.
Make sure you've installed the Android March security update
If your Android phone lost support for Android updates before the March update was released and you don't expect to receive any more updates, make sure that you don't store any crypto on that device. If you can, purchase a new phone as soon as you can.
Charles Guillemet, the Ledger chief technology officer, said that the research proves that smartphones were not means to be vaults for secure information. "it shows the challenge of storing secrets on non-secure devices," he said.
Follow us on Google News
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: