Ledger has disclosed a critical vulnerability affecting some Android smartphones that use MediaTek processors and Trustonic’s trusted execution environment (TEE). The flaw could let an attacker with physical access extract sensitive data from a powered-off device in under a minute.

Ledger’s Donjon security research team demonstrated a proof-of-concept attack against a Nothing CMF Phone 1 connected to a laptop over USB. In the test, the team breached the phone’s foundational security within 45 seconds, without booting into Android.

According to Ledger, the exploit recovered the handset PIN, decrypted storage, and extracted seed phrases from several software wallets. Affected apps named by Ledger include Trust Wallet, Base,…