Millions of Android Phones Vulnerable to 60 Second Hack

A serious security flaw affecting Android smartphones has raised fresh concerns about how safe your personal data really is. Researchers have discovered that certain devices powered by MediaTek chips can be compromised in under a minute—even when switched off and locked.

The vulnerability was identified by security experts at Ledger’s Donjon research team, who demonstrated the attack on a Nothing CMF Phone 1. With physical access to the device, they were able to break into it in as little as 45 seconds by simply connecting it to a computer.

How the attack works

What makes this issue particularly worrying is that it bypasses many of the protections users rely on. The attack targets the phone’s “boot process”—the system that starts the device before Android loads. By exploiting this stage, attackers can avoid security checks that would normally protect your data.

Once connected to a computer, the exploit allows hackers to extract the cryptographic keys that protect your phone’s storage. These keys are what keep your files encrypted and inaccessible without your PIN or password. If they are compromised, the entire contents of the device can be unlocked.

Researchers showed that this could allow access to messages, photos, apps, and other sensitive data. In some cases, they were also able to recover cryptocurrency wallet information, including recovery phrases. However, even users who don’t use crypto are still at risk, as all stored data becomes exposed.

How widespread is the risk?

The flaw, tracked as CVE-2026-20435, could impact a significant portion of Android devices worldwide. Estimates suggest up to 875 million smartphones—around one in four Android devices—may be affected.

This is because MediaTek processors are widely used in affordable and mid-range smartphones from brands such as Oppo, Vivo, Xiaomi, and others. Many of these devices rely on a security feature called a Trusted Execution Environment (TEE), which is designed to protect sensitive data. However, in this case, researchers found weaknesses in how that protection is implemented.

Another factor increasing the risk is the fragmented nature of Android updates. Even though a fix exists, it must be distributed by individual phone manufacturers. This means some devices may already be protected, while others could remain vulnerable for months—or may never receive the update at all.

What you should do now

The good news is that MediaTek released a fix to manufacturers in early 2026. However, you need to make sure your device has actually received it. Check your phone’s settings for the latest security update and install it as soon as it becomes available.

Although the attack requires physical access, it still poses a real risk if your phone is lost, stolen, or left unattended. Using a strong PIN or password, enabling remote tracking and wipe features, and avoiding storing highly sensitive information directly on your device can help reduce potential damage.

This vulnerability is a reminder that smartphone security depends on both hardware and software working together. Even if your phone appears secure, underlying flaws can still exist—making regular updates one of the most important steps you can take to stay protected.