One in four active Android devices harbors a serious security flaw embedded in MediaTek-designed chips that can allow attackers to steal your PIN code in less than three minutes. This bug affects an estimated 875 million phones worldwide and can be exploited even if your phone is powered off, provided it is connected via USB while being powered on. Tagged as CVE-2026-20435, the vulnerability exposes the Master Key used for encrypting data, enabling hackers to bypass biometric locks and access encrypted files offline with enough computational power.
Security researchers from Ledger’s Donjon Hacker Lab discovered the exploit in multiple MediaTek chipsets, warning it can rapidly leak sensitive data, including messages, photos, and cryptocurrency wallet seed phrases. The MediaTek Helio G99, among other processors, was identified as vulnerable. Despite MediaTek issuing a patch in January 2024, the Android ecosystem’s notorious fragmentation delays delivery of updates, leaving countless devices exposed.
The flaw primarily resides in various models across the MediaTek MT6700, MT6800, MT6900, MT8100, MT8600, and MT8700 series, including chips like MT6739, MT6765, MT6789, MT6877, MT6893, MT6989, MT8169, MT8370, and MT8678. Popular mid-range Android smartphones from brands such as Oppo, Realme, Vivo, and Xiaomi often use these chips. If your phone’s chipset matches any on the list and you haven’t applied the March 2024 Android update, your data is at risk.
The exploit requires physical access to the device-a hacker must connect your phone to a malicious USB source during power-on-but this condition doesn’t lessen the severity. Once the Root Key is extracted, encrypted user data can be decrypted with offline brute force, rendering stored passwords and PINs easily retrievable. Alarmingly, biometric authentication can be overridden, accepting any fingerprint or facial scan as valid.
The vulnerability was demonstrated on the Nothing Phone (CMF Phone 1), affirming the extent of the threat. Users of phones that no longer receive Android security updates should avoid storing sensitive information such as cryptocurrencies on those devices and consider upgrading to newer models that can receive patches promptly.
Charles Guillemet, CTO at Ledger, highlighted the broader challenge this vulnerability exposes: modern smartphones, despite their sophistication, aren’t inherently secure vaults for private data. This flaw underscores the systemic risks in housing sensitive secrets on widely distributed but unprotected hardware. Until patch rollout becomes near-instantaneous across all Android devices, users face a precarious balance between convenience and security.