Hardware-Level Android Chip Vulnerabilities Enable Device Compromise
Security researchers and vendors reported hardware/firmware-level vulnerabilities in Android chip components that can enable deep device compromise beyond typical app-layer defenses. Ledger’s Donjon research described a flaw involving MediaTek chip boot-chain behavior and Trustonic’s trusted execution environment (TEE) that allowed rapid physical compromise: by connecting an affected phone to a laptop over USB, attackers could allegedly brute-force the PIN, decrypt storage, and extract sensitive data including messages and cryptocurrency wallet seed phrases (e.g., Kraken Wallet, Phantom). The researchers estimated the affected MediaTek chips appear in roughly one-quarter of Android phones, disproportionately in lower-cost devices.
Separately, Zimperium reported active exploitation of a Qualcomm graphics zero-day (CVE-2026-21385) in targeted Android attacks, describing a memory-corruption condition that could enable code execution or unauthorized access across “hundreds” of Qualcomm chipsets. A ZDNET article on Android’s Repair Mode primarily provides user guidance and anecdotal troubleshooting around a buggy March update/SIM recognition issue; it does not substantively address the chip-level vulnerabilities described in the other reporting and is best treated as tangential consumer advice rather than incident or vulnerability intelligence.
Timeline
Mar 12, 2026
Researchers publish PoC showing 45-second data extraction on affected phones
Further technical details showed the vulnerability could be used with brief physical access and a USB connection before Android fully loads to bypass protections on affected devices. In a proof of concept, Ledger's Donjon team extracted a device PIN, decrypted storage, and recovered seed phrases from multiple crypto wallet apps in about 45 seconds.
Mar 11, 2026
MediaTek releases firmware patch for case 2026-20435
MediaTek released a firmware fix and published a security incident report for the vulnerability tracked as security case 2026-20435, listing affected chipsets. OEMs were expected to incorporate the fix into their device security updates, leaving users dependent on vendor rollout timelines.
Mar 11, 2026
Ledger Donjon identifies MediaTek/Trustonic Android boot-chain vulnerability
Researchers from Ledger's Donjon disclosed a hardware-rooted vulnerability affecting Android phones that use certain MediaTek chipsets with Trustonic's trusted execution environment. The flaw can be exploited over USB during early boot to extract root cryptographic keys, brute-force PINs, decrypt storage, and steal sensitive data, with no evidence of in-the-wild exploitation reported.
Mar 10, 2026
Qualcomm zero-day CVE-2026-21385 exploited in targeted Android attacks
A memory-corruption flaw in Qualcomm graphics components, tracked as CVE-2026-21385, was reported as being actively exploited in targeted attacks against Android devices. The vulnerability affects hundreds of Qualcomm chipsets and could enable code execution or unauthorized device access from a low-level hardware component.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Android Mobile Device Security Research on Payment App Abuse and Chip-Level Unlock Risks
Recent reporting highlights **two separate Android security research tracks**, not a single incident. One report details how attackers can abuse the **LSPosed** framework on already-compromised Android devices to hook `SmsManager` and `TelephonyManager`, intercept registration tokens, spoof phone numbers, exfiltrate 2FA data, and remotely inject fake SMS records into the device’s sent-message database. The technique targets **mobile payment ecosystems** that rely on SIM binding, allowing bank backends to be misled about physical SIM presence and enabling account takeover and fraud when victims have first been infected through trojanized APKs. Separate coverage describes a **MediaTek secure boot chain flaw** affecting up to **875 million Android phones**, where an attacker with physical possession of a device and USB access could extract encryption-related keys before Android fully loads, decrypt storage offline, and rapidly brute-force the PIN. That issue is distinct from unrelated reporting on **Intel UEFI vulnerabilities**, which concerns local privilege-escalation flaws in PC firmware rather than Android devices. The material is **not fluff** because it contains substantive vulnerability and threat research with concrete attack paths and mitigation guidance, including stronger device integrity enforcement and backend validation for payment workflows.
1 months ago
Google March Android Security Bulletin Patches 129 Flaws Including Actively Exploited Qualcomm Display Zero-Day
Google released the March 2026 *Android Security Bulletin*, issuing fixes for **129 vulnerabilities** across the Android ecosystem and shipping two patch levels (`2026-03-01` and `2026-03-05`) to help OEMs stage platform and hardware-specific updates. The most urgent issue is **CVE-2026-21385**, a **high-severity, actively exploited** zero-day in an open-source **Qualcomm display** component used in Android devices with affected Qualcomm/Snapdragon chipsets. Reporting indicates CVE-2026-21385 is a **memory-corruption** flaw caused by an **integer overflow/wraparound** condition that can lead to memory corruption during allocation/alignment in display drivers; successful exploitation could enable device compromise (e.g., arbitrary code execution and/or privilege escalation) and bypass security boundaries. Google and Qualcomm both acknowledged **limited, targeted exploitation in the wild**, and one account attributes discovery/confirmation of exploitation to Google’s **Threat Analysis Group (TAG)**; devices not updated to at least patch level `2026-03-05` remain exposed, making rapid patch deployment and user update compliance the primary risk-reduction actions.
1 months ago
Critical Secure Boot Vulnerability in Qualcomm Chipsets
Qualcomm has issued a security alert regarding multiple newly discovered vulnerabilities in its chipset ecosystem, with particular emphasis on a critical flaw affecting the secure boot process. The most severe vulnerability, identified as CVE-2025-47372 and rated as critical with a CVSS score of 9.0, involves a buffer overflow during the boot sequence that could allow attackers to bypass verification routines, install persistent malicious firmware, or gain control of a device before the operating system loads. This flaw, classified under CWE-120 (Classic Buffer Overflow), impacts a wide range of Snapdragon and QAM devices, and Qualcomm has urged device manufacturers to integrate the necessary fixes into both current and future products. The vulnerability was discovered with the assistance of external researchers and has been highlighted in Qualcomm's December 2025 security bulletin. Security authorities, including the Canadian Centre for Cyber Security, have echoed Qualcomm's advisory, strongly recommending that users and administrators review the bulletin and apply all relevant updates to mitigate the risk. The flaw's presence at such a fundamental stage of device operation underscores the urgency for prompt remediation across affected hardware.
1 months ago