Researchers at a cryptocurrency firm have discovered a new vulnerability that could allow malicious actors to gain access to Android smartphones in under a minute. The flaw is said to affect MediaTek’s Dimensity and Helio chips on some smartphones, by targeting the trusted execution environment that protects sensitive user data on a smartphone. On the other hand, smartphones from other brands like Google, Apple, and various handsets with Snapdragon chips are equipped with dedicated security chips that can protect user information.
In a post on X, Ledger’s Chief Technology Officer (CTO) Charles Guillemet claims that Ledger Donjon, the cryptocurrency firm’s division of security researchers, has discovered a vulnerability that could affect millions of Android smartphones powered by MediaTek chipsets. The issue appears to stem from the Trustonic TEE, a code execution environment used by MediaTek’s Dimensity and Helio series chipsets to protect sensitive data on Android handsets.
The group tested the vulnerability on the CMF Phone 1, which is equipped with a MediaTek Dimensity 7300 chipset. The group was reportedly able to breach the smartphone’s security and access the information within 45 seconds of it being plugged into a computer. However, it’s worth noting that any Android smartphone with an affected MediaTek chip could be impacted by the flaw.
The researchers could exploit the vulnerability to gain access to the MediaTek chipset-powered Android smartphone’s security PIN. They could also access the phone’s decrypted storage while also extracting the seed phrases of “the most popular software wallets”, which are 12 to 24-word passwords used for cryptocurrency verification and account recovery.
The executive claims that the security researchers did not even have to turn on the phone to recover the sensitive data. Since the vulnerability may expose “millions of Android phones” to security risks, bad actors can potentially gain access to a user’s cryptocurrency wallet and execute transactions without the knowledge of the victim.
At the time of publishing, OEMs have yet to publicly acknowledge this vulnerability. MediaTek told Android Authority that it issued a patch for the vulnerability to device makers as early as January, but it is currently unknown whether smartphone makers have patched the issue for all affected devices.
