The MediaTek + Trustonic combination at the heart of the problem
Table of Contents
THE Ledger ethical hackers demonstrated the vulnerability on a Nothing CMF Phone 1 in real conditions. The attack made it possible to extract the PIN code, decrypt entire encrypted storage and empty multiple cryptocurrency wallets in less than a minute. The targeted phone was completely turned off at the time of the attack.
The flaw exploits a specific architecture combining two elements:
- A MediaTek chip (main processor of the smartphone)
- And secure execution environment (TEE) developed by Trustonic
The TEE normally constitutes a isolated area of the processor supposed to protect the most sensitive operations: PIN code verification, encryption key management, storage of biometric identifiers. This isolation should theoretically prevent unauthorized access, even if the main operating system is compromised.
But researchers discovered a flaw in boot sequence. When you plug your turned off smartphone via USB, the MediaTek chip automatically powers up before the security protections fully charge. During this time window of a few seconds, an attacker can inject malicious commands to bypass all software protections and directly access encrypted storage.
Brands and models affected by the vulnerability
The scale of the breach goes well beyond a single manufacturer. More than ten brands use the MediaTek + Trustonic TEE combination in their mid and entry-level ranges:
Affected Android smartphones:
- Samsung : full Galaxy A range and select Galaxy Tab tablets
- Xiaomi : Redmi and Poco models equipped with MediaTek
- Oppo and sub-brands (Realme, OnePlus Nord series some models)
- Motorola : mid-range Moto G and Edge range
- Honor : Honor X and Magic Lite series
- HTC : recent mid-range models
- Nothing : CMF Phone 1 and possibly Phone (2a)
Other vulnerable devices: The flaw is not limited to smartphones. Some connected TVs and tablets integrating MediaTek chips with Trustonic TEE are also on display:
- Sony : selected Bravia TVs and tablets
- TCL, Hisense, Philips : mid-range Android TVs
This non-exhaustive list potentially represents several tens of millions of devices currently in circulation in France. High-end models equipped with Qualcomm Snapdragon or Google Tensor chips are not affected by this specific vulnerability.
The patch schedule: between reactivity and concerns
MediaTek responded quickly after the discovery of the flaw. The chipmaker sent a security patch for manufacturers from January 5, 2026two months before public disclosure. This period of responsible disclosure was to allow manufacturers to integrate the fix before the technical details became public.
The official release of the vulnerability on March 2, 2026 theoretically gave manufacturers enough time to deploy security updates on recent models. Users with smartphones encore sous support (usually under 3-4 years old) should receive the patch via the Android security updates from March or April 2026.
But one major problem remains : Smartphones at the end of support will probably never receive the patch. A device purchased five years ago, even if it works perfectly, no longer benefits from security updates from its manufacturer. These millions of devices will remain vulnerable indefinitelycreating a fleet of exploitable phones.
Practical guide: check and protect yourself effectively
Check immediately if your smartphone requires an update:
- Access the Settings from your Android phone
- Go down to About the phone or System information
- Search for it Android security patch level
- If the date displays February 2026 or earlieryour device is potentially vulnerable
- Return to Settings > System > Software Update
- Launch a manual update check
If no updates are available and your security patch is several months old, contact your manufacturer’s technical support for the expected timeline.
Immediate protective measures to adopt:
- Absolutely avoid public USB charging stations (airports, train stations, shopping centers). The flaw is activated precisely via a malicious USB connection. Always use your own charger plugged into a standard electrical outlet or use a trusted external battery.
- Never leave your phone unattended in risky environments: customs checks, security clearances, unofficial store repairs. The 45 seconds required for exploitation make the attack feasible with simple inattention.
- For cryptocurrency holders : migrate immediately to a dedicated hardware wallet (Ledger, Trezor). Never store large amounts in a mobile application, even a secure one. Hardware wallets physically isolate your private keys from the vulnerable smartphone.
- Anticipate the replacement of devices at the end of support. If your smartphone has more than four or five years and hasn’t received a security update for several months, this is a signal that it will probably never receive the MediaTek patch. In this case, plan its replacement in the coming months by a recent model benefiting from long-term support.
- Put the real threat level into perspective: this flaw, although technically serious, requires a 45 second physical access to your unlocked or powered off device. It does not concern the general public who are victims of massive automated cyberattacks. The priority targets are people transporting sensitive data (professionals, significant crypto holders, journalists, activists) in risky contexts (international travel, conflict zones, investigations).
The discovery of this vulnerability above all reminds us of the crucial importance of regular updates a you periodic replacement smartphones to maintain an acceptable level of security in 2026.
