This Vulnerability Can Break Android Phones’ Lock Screens In Under 60 Seconds
A newly disclosed hardware-level flaw in certain MediaTek chips can allow attackers with physical access to bypass protections and recover keys that protect device storage in less than a minute. Android Phones using affected MediaTek system-on-a-chip designs that rely on Trustonic’s Trusted Execution Environment are vulnerable to an exploit that can retrieve handset PINs, decrypt storage, and extract seed phrases from software wallets.
How Android Phones Are Affected
The vulnerability is tracked as CVE-2026-20435 and impacts MediaTek processors that implement Trustonic’s TEE. That configuration is present in a substantial portion of devices—about one in four Android Phones, with the issue concentrated largely in lower-cost models. The flaw enables an attacker with physical access to extract the root keys that protect full-disk encryption before Android finishes booting, effectively nullifying both the lock screen and encrypted storage protections on affected handsets.
What Researchers Demonstrated
Hardware security researchers from the Donjon team demonstrated the exploit on a MediaTek-powered handset and breached the phone’s foundational security in 45 seconds once the device was connected to a computer. A separate demonstration showed an attack performed by connecting a vulnerable phone to a laptop over USB that recovered the device PIN, decrypted storage, and extracted seed phrases from multiple software wallets without ever booting the Android operating system.
The researchers emphasized that the exploit requires physical access to the phone. They followed a responsible disclosure process and notified MediaTek before the vulnerability was made public. MediaTek provided fixes to device manufacturers on January 5, 2026, and has listed affected processors in a March security bulletin.
What Owners Can Do Now
Owners of Android Phones should verify whether their model uses an affected MediaTek chipset and check for security updates from their device manufacturer. One suggested way to confirm the SoC in a handset is to look up the model on device specification resources or the vendor’s website, then cross-check that SoC against MediaTek’s bulletin for CVE-2026-20435.
Because fixes were delivered to manufacturers rather than pushed directly to handsets, installation depends on each phone maker issuing firmware or security updates. That process can take days for supported devices and may never occur for devices that have reached end-of-life. Until updates are confirmed installed, the most practical immediate protections are to keep physical control of devices and avoid leaving them unattended or exposed to theft.
It remains unclear whether the vulnerability has been exploited by attackers in the field. The demonstrated impact—retrieval of PINs, decryption of storage, and extraction of wallet seed phrases—makes timely updates and physical security priorities for anyone with an affected device.
Look for firmware and security patches from your phone maker and install them as soon as they are available. For devices that do receive the patch, the update should be included in the manufacturer’s security release and will restore the intended protections if applied.
