Zero-Click Exploit Decrypts Android Data Instantly

Ledger's Donjon team has uncovered a severe vulnerability in Android smartphones equipped with MediaTek processors and Trustonic's Trusted Execution Environment. This flaw, present in about a quarter of Android devices worldwide, permits attackers to perform zero-click exploits, allowing for the rapid decryption of application data. The exploit enables the extraction of root cryptographic keys from a powered-down phone via a USB connection before the operating system even loads. These stolen keys can then be used for offline storage decryption and brute-forcing device PINs, potentially exposing sensitive information like messages, photos, and cryptocurrency wallet details.

Charles Guillemet, CTO of Ledger, cautioned that smartphones were not originally designed as secure vaults and that while this specific vulnerability can be patched, the inherent risks remain. He stressed that crypto assets stored on phones are only as secure as the device's weakest hardware, firmware, or software link. Ledger responsibly disclosed this vulnerability to MediaTek and Trustonic, adhering to a 90-day disclosure period. MediaTek confirmed that updates were sent to OEMs on January 5, 2026, with the vulnerability publicly disclosed as CVE-2025-20435 on March 2, 2026. Users are strongly advised to install all available security updates to mitigate these advanced threats.