Ledger's internal security lab recently disclosed a zero-day vulnerability in the Android WebView component, which allows malicious background applications to extract a 24-word recovery seed from software wallets in less than three seconds.
Attack Mechanism
The sandbox architecture of Android is designed to isolate each application's memory from others on the device. However, Memory-Mirror can bypass this isolation under specific conditions that are not difficult to create. If a user inputs their seed phrase in any software wallet while running a compromised application, the seed will be extracted from shared memory within three seconds of input. The user will not notice any anomalies; the wallet application behaves normally while the seed quietly disappears.
This attack requires a malicious application to be installed on the device, lowering the barrier for intrusion, as many fraudulent applications can pass through app store review processes, and sideloading APK files is quite common in the crypto community.
Scope of Exposure
Ledger Donjon estimates that over 70% of devices running Android versions 12 to 15 are vulnerable until the security patch from March 2026 is installed. Google began rolling out a fix for Pixel devices on March 5, with patches for Samsung and Xiaomi expected by the end of March. All Android devices that have not received a version number ending in .0326 are at risk.
According to the hot wallet rankings released by CoinGecko today, Trust Wallet ranks first, followed by MetaMask in second place. Due to the inability to confirm the patch status of devices, these two wallets have temporarily disabled the seed import feature on Android. The fourth-ranked Phantom is also similarly affected. These three most popular non-custodial mobile wallets have suspended the seed import feature on most platforms used by their users.
Timely Action Required
Android users holding crypto assets in any software wallet should immediately check if the March 2026 security update is installed. This can be confirmed through settings, security or system, then software updates, to see if the version number ends with .0326. If the manufacturer has not provided an update, the device should be considered compromised when entering the seed.
Ledger's advice is not limited to patching. There is an inherent risk in entering recovery seeds through any mobile keyboard in any software wallet, which is unrelated to Memory-Mirror. Keyboards, clipboard managers, and screen recording applications can all become extraction vectors, while hardware wallets eliminate these risks by design. Ledger Nano and Stax devices are not affected by Memory-Mirror, as the seed phrase never leaves the secure element chip of the device and is never exposed to the Android operating system at any time.