Less than two weeks after the news of a government-grade iOS exploit kit, security researchers have now revealed a crypto-stealing vulnerability in Android devices.
Researchers at Ledger Donjon, a security arm of the major crypto hardware wallet manufacturer Ledger, discovered a MediaTek vulnerability that enabled criminals to steal crypto assets from the most popular Android-based wallets. The vulnerability is said to have been fixed by MediaTek, a Taiwanese fabless semiconductor company, in January.
Here's how it worked. According to Charles Guillemet, CTO at Ledger, the researchers plugged a Nothing CMF Phone 1 into a laptop and breached the phone’s foundational security within 45 seconds.
"Without ever even booting into Android, the exploit automatically recovered the phone’s PIN, decrypted its storage, and extracted the seed phrases from the most popular software wallets," the CTO said, referring to a combination of 12–24 words that give access to crypto wallets.
Meanwhile, the US government-maintained National Vulnerability Database notes that locally stored information could be stolen if an attacker has physical access to the device, with no additional execution privileges or user interaction required.
Guillemet emphasized that this vulnerability could have potentially impacted millions of Android phones and that "smartphones aren't built for security."
"Even when powered off, user data – including pins & seeds – can be extracted in under a minute," he said, adding that general-purpose chips are built for convenience, while a dedicated secure element isolates secrets from the rest of the system and should protect them even during a physical attack.
Some commenters online reacted to the news by saying that since Apple controls both hardware and software, the iPhone offers a smaller attack surface. However, as reported by Cybernews earlier this March, iPhones were under mass attack, with Chinese scammers, Russian spies, and other cybercriminals using the government-grade iOS exploit kit Coruna.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked