A locked Android phone is supposed to keep intruders out. But a newly disclosed chip-level flaw may take that protection off the table, putting as many as 875 million devices at risk of being unlocked or raided for data.
First reported by Forbes, the flaw affects MediaTek-powered Android phones at a level below the apps and operating system most users think about. That gives the bug unusually high stakes, exposing how quickly a stolen device could become far less secure than it appears.
Sixty seconds is all it may take
The flaw may affect roughly one in four Android smartphones, pushing this well beyond the kind of niche security issue most users can safely ignore. Forbes notes that in the right conditions, an attacker could move in within 60 seconds and do so before the operating system has fully loaded.
Scale and speed give the flaw its force. This is not about a quirky bug buried in a rarely used feature, but about a weakness that could affect a large share of the Android market and turn a stolen phone into a more immediate security problem.
A problem that starts before Android does
Researchers at Ledger’s Donjon Hacker Lab found the weakness in MediaTek’s secure boot chain.
What makes this especially unsettling is where the weakness lives: deep in the secure boot process that helps a phone verify itself and protect encrypted data before Android fully loads. In practical terms, that puts a locked device at risk at a lower level than most users would expect, before the operating system has much chance to protect its contents.
With the phone in hand and a USB connection, an attacker could extract the cryptographic keys tied to full-disk encryption, then decrypt storage offline and brute-force the PIN in seconds. The phone can still appear locked even as the damage begins below the surface.
Common handsets, uncommon risk
The vulnerable MediaTek chipsets appear across a wide range of mid-range and budget Android phones, placing the problem squarely in the part of the market many people rely on every day.
A proof of concept was demonstrated on the Nothing CMF Phone 1, and affected models may include phones from:
The risk feels much more immediate when it is tied to familiar Android phones bought for price, practicality, and everyday use.
A fix on paper is not a fix in hand
MediaTek issued a patch in January, but that does not mean the danger has already passed. Android updates do not roll out in a single, continuous stream, and phones that rely on slower manufacturer rollouts can remain vulnerable long after a fix is available.
That leaves users stuck in the gap between a vulnerability being patched and protection actually arriving on their device. Lower-cost phones often wait the longest, making the update pipeline almost as important as the bug itself.
For users, the practical move is to check for the latest security update and confirm the March Android patch has arrived.
A newly disclosed flaw in Microsoft Authenticator could put login codes for millions of Android and iPhone users at risk.