Hardware-Level Android Chip Vulnerabilities Enable Device Compromise
Security researchers and vendors reported hardware/firmware-level vulnerabilities in Android chip components that can enable deep device compromise beyond typical app-layer defenses. Ledger’s Donjon research described a flaw involving MediaTek chip boot-chain behavior and Trustonic’s trusted execution environment (TEE) that allowed rapid physical compromise: by connecting an affected phone to a laptop over USB, attackers could allegedly brute-force the PIN, decrypt storage, and extract sensitive data including messages and cryptocurrency wallet seed phrases (e.g., Kraken Wallet, Phantom). The researchers estimated the affected MediaTek chips appear in roughly one-quarter of Android phones, disproportionately in lower-cost devices.
Separately, Zimperium reported active exploitation of a Qualcomm graphics zero-day (CVE-2026-21385) in targeted Android attacks, describing a memory-corruption condition that could enable code execution or unauthorized access across “hundreds” of Qualcomm chipsets. A ZDNET article on Android’s Repair Mode primarily provides user guidance and anecdotal troubleshooting around a buggy March update/SIM recognition issue; it does not substantively address the chip-level vulnerabilities described in the other reporting and is best treated as tangential consumer advice rather than incident or vulnerability intelligence.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers publish PoC showing 45-second data extraction on affected phones
Further technical details showed the vulnerability could be used with brief physical access and a USB connection before Android fully loads to bypass protections on affected devices. In a proof of concept, Ledger's Donjon team extracted a device PIN, decrypted storage, and recovered seed phrases from multiple crypto wallet apps in about 45 seconds.
MediaTek releases firmware patch for case 2026-20435
MediaTek released a firmware fix and published a security incident report for the vulnerability tracked as security case 2026-20435, listing affected chipsets. OEMs were expected to incorporate the fix into their device security updates, leaving users dependent on vendor rollout timelines.
Ledger Donjon identifies MediaTek/Trustonic Android boot-chain vulnerability
Researchers from Ledger's Donjon disclosed a hardware-rooted vulnerability affecting Android phones that use certain MediaTek chipsets with Trustonic's trusted execution environment. The flaw can be exploited over USB during early boot to extract root cryptographic keys, brute-force PINs, decrypt storage, and steal sensitive data, with no evidence of in-the-wild exploitation reported.
Qualcomm zero-day CVE-2026-21385 exploited in targeted Android attacks
A memory-corruption flaw in Qualcomm graphics components, tracked as CVE-2026-21385, was reported as being actively exploited in targeted attacks against Android devices. The vulnerability affects hundreds of Qualcomm chipsets and could enable code execution or unauthorized device access from a low-level hardware component.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Vulnerability in MediaTek Chips Could Impact 25% Android Smartphones - The Cyber Express
thecyberexpress.com
Open sourceThis security flaw could affect 1 in 4 Android phones - how to check yours | ZDNET
zdnet.com
Open sourceQualcomm Zero-Day Exploited in Targeted Android Attacks
zimperium.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Android Mobile Device Security Research on Payment App Abuse and Chip-Level Unlock Risks
Recent reporting highlights **two separate Android security research tracks**, not a single incident. One report details how attackers can abuse the **LSPosed** framework on already-compromised Android devices to hook `SmsManager` and `TelephonyManager`, intercept registration tokens, spoof phone numbers, exfiltrate 2FA data, and remotely inject fake SMS records into the device’s sent-message database. The technique targets **mobile payment ecosystems** that rely on SIM binding, allowing bank backends to be misled about physical SIM presence and enabling account takeover and fraud when victims have first been infected through trojanized APKs. Separate coverage describes a **MediaTek secure boot chain flaw** affecting up to **875 million Android phones**, where an attacker with physical possession of a device and USB access could extract encryption-related keys before Android fully loads, decrypt storage offline, and rapidly brute-force the PIN. That issue is distinct from unrelated reporting on **Intel UEFI vulnerabilities**, which concerns local privilege-escalation flaws in PC firmware rather than Android devices. The material is **not fluff** because it contains substantive vulnerability and threat research with concrete attack paths and mitigation guidance, including stronger device integrity enforcement and backend validation for payment workflows.
Mar 21, 2026
Google March Android Security Bulletin Patches 129 Flaws Including Actively Exploited Qualcomm Display Zero-Day
Google released the March 2026 *Android Security Bulletin*, issuing fixes for **129 vulnerabilities** across the Android ecosystem and shipping two patch levels (`2026-03-01` and `2026-03-05`) to help OEMs stage platform and hardware-specific updates. The most urgent issue is **CVE-2026-21385**, a **high-severity, actively exploited** zero-day in an open-source **Qualcomm display** component used in Android devices with affected Qualcomm/Snapdragon chipsets. Reporting indicates CVE-2026-21385 is a **memory-corruption** flaw caused by an **integer overflow/wraparound** condition that can lead to memory corruption during allocation/alignment in display drivers; successful exploitation could enable device compromise (e.g., arbitrary code execution and/or privilege escalation) and bypass security boundaries. Google and Qualcomm both acknowledged **limited, targeted exploitation in the wild**, and one account attributes discovery/confirmation of exploitation to Google’s **Threat Analysis Group (TAG)**; devices not updated to at least patch level `2026-03-05` remain exposed, making rapid patch deployment and user update compliance the primary risk-reduction actions.
Mar 21, 2026
Critical Secure Boot Vulnerability in Qualcomm Chipsets
Qualcomm has issued a security alert regarding multiple newly discovered vulnerabilities in its chipset ecosystem, with particular emphasis on a critical flaw affecting the secure boot process. The most severe vulnerability, identified as CVE-2025-47372 and rated as critical with a CVSS score of 9.0, involves a buffer overflow during the boot sequence that could allow attackers to bypass verification routines, install persistent malicious firmware, or gain control of a device before the operating system loads. This flaw, classified under CWE-120 (Classic Buffer Overflow), impacts a wide range of Snapdragon and QAM devices, and Qualcomm has urged device manufacturers to integrate the necessary fixes into both current and future products. The vulnerability was discovered with the assistance of external researchers and has been highlighted in Qualcomm's December 2025 security bulletin. Security authorities, including the Canadian Centre for Cyber Security, have echoed Qualcomm's advisory, strongly recommending that users and administrators review the bulletin and apply all relevant updates to mitigate the risk. The flaw's presence at such a fundamental stage of device operation underscores the urgency for prompt remediation across affected hardware.
Mar 21, 2026