Ledger’s internal security lab has disclosed a zero-day vulnerability in Android’s WebView component that allows malicious background applications to extract a 24-word recovery seed from software wallets in under three seconds.
How the Attack Works
The vulnerability, named Memory-Mirror by Ledger Donjon researchers, exploits a bug in Android System WebView, the component that renders web content inside applications. A malicious app running in the background can trigger a memory leak that mirrors the contents of a wallet application’s private memory space into a shared cache accessible outside the normal sandbox boundary.
LATEST:🔒Ledger researchers have identified a vulnerability in the Android OS that could impact the security of the mobile wallet. Although your device stores private keys offline, we recommend all users immediately install the latest system security patches.⚙️🌿#Ledger #Android pic.twitter.com/jHCah4WM3f
— Bloom – Crypto Community (@BloomEcoCrypto) March 11, 2026
Android’s sandboxing architecture is designed to isolate each application’s memory from every other application on the device. Memory-Mirror bypasses that isolation under specific conditions that are not difficult to create. If a user enters their seed phrase into any software wallet while a compromised application is running in the background, the seed is extractable from the shared cache within three seconds of entry. The user sees nothing unusual. The wallet application behaves normally. The seed is gone.
The attack requires a malicious application to already be installed on the device, which lowers the barrier considerably given the volume of fraudulent applications that pass through app store review processes and the prevalence of sideloaded APK files in the crypto community.
The Scope of Exposure
Ledger Donjon estimates that over 70% of Android devices running versions 12 through 15 remain vulnerable without the March 2026 security patch. Google began rolling out the fix to Pixel devices on March 5. Samsung and Xiaomi patches are expected by late March. Every Android device that has not received a build version ending in .0326 is currently susceptible.
The CoinGecko hot wallet ranking published earlier today placed Trust Wallet at number one and MetaMask at number two globally. Both wallets have temporarily disabled the Import via Seed feature on Android until device patch status can be verified. Phantom at number four on the same list is similarly affected. The three most popular non-custodial mobile wallets in the world have suspended seed import functionality on the platform that the majority of their users access them through.
What to Do Immediately
Android users holding crypto in any software wallet should check for the March 2026 security update immediately. Navigate to Settings, then Security or System, then Software Update, and verify the build version ends in .0326. If the update is not yet available from the device manufacturer, treat the device as compromised for seed entry purposes until it is.
Ledger’s recommendations extend beyond patching. Entering a recovery seed into any mobile keyboard on any software wallet carries inherent risk that exists independently of Memory-Mirror. The keyboard itself, clipboard managers, and screen recording applications all represent potential extraction vectors that hardware wallets eliminate by design. The Ledger Nano and Stax devices are unaffected by Memory-Mirror because the seed phrase never leaves the device’s Secure Element chip and is never exposed to the Android operating system at any point.
The Trust Wallet address poisoning protection feature covered in this publication yesterday defended users against one attack vector at the transaction layer. Memory-Mirror operates at a fundamentally deeper level, targeting the seed itself rather than a single transaction. A compromised seed compromises every wallet, every chain, and every asset derived from it permanently.
Update the device. Do not enter seed phrases on mobile until the patch is confirmed installed.
