MediaTek security flaw may have affected more Android phones than initially reported

The issue was discovered by Ledger’s Donjon security research team on the CMF Phone 1 by Nothing. Researchers were able to extract sensitive data, including the phone’s PIN and crypto wallet seed phrases, in under a minute without booting Android.

While Ledger suggested the issue stemmed from Trustonic’s Trusted Execution Environment (TEE) on MediaTek chips, Trustonic says the problem wasn’t in its security software.

“This issue does not exist on other SoC vendor products where we are using the same version of Kinibi,” the company told Android Authority.

For context, Kinibi is Trustonic’s secure software that runs inside a phone’s protected environment (TEE) and ensures sensitive data like PINs, encryption keys, and biometric information remain safe.

So, essentially, Trustonic is claiming that its software behaves securely on other chipsets and suggesting that the weakness is specific to MediaTek’s platform.

“Trustonic is not on all MediaTek chipsets, hence calling out Trustonic explicitly is not reasonable,” the company said.

While the original research held both MediaTek chips and Trustonic’s TEE responsible for the vulnerability, Trustonic’s response suggests the problem affected a wider range of Android devices across different brands and security implementations.

Trustonic added that it did not need to update its security software, as MediaTek issued the fix from its end to device makers on January 5, 2026.

The company declined to confirm whether the Nothing CMF Phone 1 uses its technology. We also reached out to Ledger’s Donjon team to clarify the scope of the issue, but did not hear back at the time of publication.