Android flaw lets hackers unlock phones in under a minute

Your telephone fastener surface is expected to beryllium your past enactment of defense. If your instrumentality gets mislaid oregon stolen, that PIN oregon passcode should support strangers retired of your photos, messages and fiscal apps. But researchers person recovered a superior flaw that tin interruption done those protections connected definite Android phones successful little than a minute.

Once exploited, attackers tin retrieve your phone's PIN, unlock encrypted retention and adjacent extract delicate information specified arsenic cryptocurrency wallet effect phrases. Security researchers estimation that astir 1 successful 4 Android phones could beryllium affected, peculiarly fund phones.

Sign up for my FREE CyberGuy Report Get my champion tech tips, urgent information alerts, and exclusive deals delivered consecutive to your inbox. For simple, real-world ways to spot scams aboriginal and enactment protected, visit CyberGuy.com -  trusted by millions who ticker CyberGuy connected TV daily. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide escaped erstwhile you join.  

ANDROID FIXES 129 SECURITY FLAWS IN MAJOR PHONE UPDATE

Google’s March Android information update fixes 129 vulnerabilities, including a zero-day flaw already exploited successful targeted attacks. (Firdous Nazir/NurPhoto)

All astir the Android hacking flaw

A recently disclosed vulnerability, tracked arsenic CVE-2026-20435 successful the National Vulnerability Database, affects immoderate Android phones powered by MediaTek, a large smartphone spot shaper based successful Taiwan that competes with companies similar Qualcomm. These phones usage a information constituent called Trustonic's Trusted Execution Environment (TEE), which is designed to support delicate data, specified arsenic encryption keys, protected from the remainder of the system.

It stores cryptographic keys that assistance support your instrumentality encrypted and secure, adjacent if idiosyncratic tries to tamper with it. However, information analyses of the vulnerability bespeak that these protections whitethorn beryllium bypassed connected affected devices.

By connecting a telephone to a machine utilizing a USB cable, an attacker with carnal entree whitethorn beryllium capable to exploit the flaw during the aboriginal footwear process, perchance exposing delicate information earlier afloat information protections are enforced. Think of it similar accessing the maestro cardinal earlier the harmless doorway adjacent closes. Once attackers summation entree to these low-level components, they whitethorn beryllium capable to entree encrypted retention without needing your PIN.

In a worst-case scenario, this benignant of entree could let attackers to extract highly delicate information, including idiosyncratic photos, stored passwords, backstage messages, fiscal data, and crypto wallet credentials. If effect phrases for crypto wallets are exposed, attackers could drain funds permanently.

What are Android makers doing astir this

There's constricted enactment manufacturers tin instrumentality connected their ain since the contented originates astatine the processor level, which is manufactured by MediaTek. The institution says it has released a firmware spot addressing the vulnerability. However, the update indispensable inactive beryllium distributed by idiosyncratic telephone manufacturers done information updates. Depending connected the instrumentality and whether it is inactive supported, that update could get rapidly oregon not astatine all.

The bully happening is that this onslaught requires carnal entree to the telephone and a USB transportation to a computer. That means it cannot beryllium done remotely implicit the internet. However, if your telephone is stolen, concisely confiscated, oregon adjacent taken during a repair, the attacker could perchance extract delicate information.

If you're not definite whether this vulnerability affects your mobile device, you tin look up your telephone connected a level similar GSMArena oregon your vendor's website to spot which SoC it uses, past cross-check it with MediaTek's March information bulletin nether CVE-2026-20435. You tin log onto corp.mediatek.com/product-security-bulletin/March-2026 to reappraisal the database of affected chipsets and corroborate whether your instrumentality whitethorn beryllium astatine risk.

CyberGuy reached retired to MediaTek for comment, but did not perceive backmost earlier our deadline.

NEW ANDROID ATTACK TRICKS YOU INTO GIVING DANGEROUS PERMISSIONS

A caller Android banking trojan called Sturnus tin instrumentality implicit your screen, bargain your banking credentials and adjacent work encrypted chats from apps you trust. (Delmaine Donson/Getty Images)

How to archer if your telephone is affected

So however bash you cognize if your telephone is really astatine risk? Not each Android telephone is vulnerable. The contented chiefly affects devices that usage definite MediaTek processors. Here's however to cheque your phone:

1) Find your telephone model

Go to Settings > About phone and look for your nonstop exemplary name.

2) Look up your processor (chip)

Search your phone model connected a tract similar GSMArena oregon your manufacturer's website to find the processor (also called the SoC).

3) Check if it uses MediaTek

If your telephone uses a MediaTek chip, it whitethorn beryllium affected. Devices with Qualcomm Snapdragon oregon Google Tensor chips are not portion of this circumstantial issue.

4) Install the latest information updates immediately

Check your phone's strategy update settings and instal immoderate disposable updates from your manufacturer.  Go to Settings > Software update and instal immoderate available updates. MediaTek has already released a fix, but telephone makers indispensable administer it. Installing updates rapidly ensures you person the firmware spot if your instrumentality shaper has released it.

7 ways you tin support your telephone from getting hacked

If your telephone uses 1 of the affected chips, a fewer elemental precautions tin assistance trim the chances of idiosyncratic accessing your information if the instrumentality ever falls into the incorrect hands.

1) Install beardown antivirus protection

A information app cannot hole this processor-level flaw. However, it tin inactive assistance support your telephone from different threats that often travel stolen oregon compromised devices. It volition not halt this circumstantial exploit, but it tin observe malicious apps, spyware, and suspicious enactment that attackers whitethorn instal aft gaining access. That other furniture of monitoring tin assistance halt further information theft if your instrumentality ever falls into the incorrect hands. Get my picks for the champion 2026 antivirus extortion winners for your Windows, Mac, Android & iOS devices astatine Cyberguy.com

2) Avoid keeping delicate accusation connected your phone

If you store things similar cryptocurrency wallet effect phrases, betterment codes, oregon delicate documents successful notes apps oregon screenshots, see moving them to a unafraid offline location. If idiosyncratic extracts your phone's information done this vulnerability, that accusation could beryllium exposed.

3) Keep carnal power of your phone

This exploit requires idiosyncratic to physically link your telephone to a computer. Do not permission your instrumentality unattended successful nationalist places, and beryllium cautious erstwhile handing it to repair shops oregon chartless technicians. Physical entree dramatically increases the risk.

4) Use beardown surface locks and auto-lock settings

While the vulnerability bypasses encryption connected affected devices, beardown fastener settings inactive support against galore different threats. Use a longer PIN oregon passcode alternatively of elemental patterns, and alteration automatic locking aft abbreviated periods of inactivity.

5) Protect accounts with two-factor authentication

Even if attackers summation entree to information connected your phone, two-factor authentication (2FA) tin halt them from logging into your online accounts. Enable it for email, banking apps, unreality storage, and societal media wherever possible.

6) Use a password manager

A password manager stores your login credentials successful a secure, encrypted vault alternatively of leaving them scattered crossed apps and notes. If idiosyncratic compromises your device, the password manager inactive protects your accounts with beardown encryption, forcing attackers to interruption done different information furniture earlier they tin entree your logins. Check retired the champion expert-reviewed password managers of 2026 astatine Cyberguy.com

7) Enable USB restricted mode (if available)

Some Android devices bounds USB information entree erstwhile locked. Turning connected this mounting tin trim the hazard of unauthorized information extraction done a wired connection, particularly successful situations wherever idiosyncratic concisely gains carnal entree to your phone. On Samsung phones moving the latest software:

Settings whitethorn alteration somewhat depending connected your Samsung exemplary and bundle version.

Go to Settings

Tap Lock screen

Then, pat Secure fastener settings

Enter your existent PIN, then pat Continue

Enable "Lock web and security" (or a likewise named option) to assistance artifact USB information entree portion your instrumentality is locked.

ZeroDayRAT spyware tin secretly entree messages, camera feeds and banking apps connected infected iPhone and Android devices. (Stefan Sauer/picture alliance)

Kurt's cardinal takeaway

This vulnerability exposes a deeper contented with the Android ecosystem. Even erstwhile chipmakers merchandise a fix, millions of phones beryllium connected manufacturers to present updates that whitethorn ne'er arrive, particularly for cheaper devices that suffer enactment quickly. We often presume our fastener surface and encryption volition support our information if a telephone is mislaid oregon stolen. However, incidents similar this amusement that extortion is lone arsenic beardown arsenic the update policies down it. When devices halt receiving information patches, those protections softly weaken implicit time.

Should telephone manufacturers beryllium required to warrant information updates for respective years if their devices incorporate captious encryption vulnerabilities? Let america cognize by penning to america astatine Cyberguy.com

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report Get my champion tech tips, urgent information alerts, and exclusive deals delivered consecutive to your inbox. For simple, real-world ways to spot scams aboriginal and enactment protected, visit CyberGuy.com -  trusted by millions who ticker CyberGuy connected TV daily. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide escaped erstwhile you join.

Copyright 2026 CyberGuy.com.  All rights reserved.