Millions of cryptocurrency users may be at risk due to a newly identified zero-day vulnerability in Android’s WebView component, as highlighted by security experts from Ledger. This flaw enables malicious applications to swiftly steal sensitive wallet recovery phrases in under three seconds, disrupting the security of software crypto wallets and exposing funds to potential theft.
What is the Memory-Mirror Vulnerability?
The Ledger Donjon security team has named this security flaw the “Memory-Mirror” vulnerability. It originates from the way Android’s System WebView manages internet content within apps. By exploiting this flaw, a malicious app operating silently in the background can access sensitive data stored in the memory of targeted wallet apps. Users remain oblivious during the attack, as there are no visible signs of unusual activity within the compromised app.
How Are Devices and Industry Reacting?
Devices running Android versions 12 to 15 are particularly vulnerable unless they have the March 2026 security patch. On March 5, Google released an update for Pixel devices, with Samsung and Xiaomi anticipated to do the same by month’s end. Devices lacking an update ending in .0326 remain exposed. In response to this vulnerability, popular software wallets Trust Wallet and MetaMask have temporarily suspended their “Import Seed” feature for Android users until devices are confirmed patched. Similarly, Phantom has stopped seed-based logins.
What Measures Should Users Take?
Android users storing cryptocurrencies should immediately check if their devices have received the security patch by accessing the Software Update section. Devices with an update ending in .0326 are secure. If an update has not been distributed by the manufacturer, users should refrain from entering new seed phrases. Ledger warns that risks extend beyond Memory-Mirror, as on-screen keyboards and clipboard-accessing apps may also compromise seed information.
Ledger Donjon researchers strongly advise all users to install security updates without delay to prevent this vulnerability from endangering mobile wallet security.
Attention to these measures is crucial:
- Android versions 12-15 require the March 2026 patch.
- Trust Wallet, MetaMask, and Phantom have disabled seed imports on Android until guaranteed device security.
- Only devices updated to .0326 are considered safe.
- Hardware wallets such as Ledger remain unaffected by the flaw.
Remaining vigilant about device updates and security patches is crucial. Users should avoid entering recovery phrases into mobile devices until updates are confirmed. This vulnerability jeopardizes the core defenses of wallet apps, potentially threatening users’ digital assets if not addressed promptly.
