Within the scope of security research conducted by Ledger, a critical zero-day vulnerability was detected in the WebView component of the Android operating system. This vulnerability allows malicious background applications to steal 24-word recovery passwords from cryptocurrency software wallets in just three seconds.
Details of Memory-Mirror Vulnerability
Ledger Donjon team announced that this vulnerability, called Memory-Mirror, is caused by the Android System WebView component that processes internet content within the application. A malicious application can hijack sensitive data in the target wallet application’s private memory space by leaking it to another cache that should normally be isolated. During the attack, the user does not experience any unusual symptoms and nothing abnormal is observed in the wallet application; However, the entered seed expression can be copied by the attacker in a short time.
Android’s application isolation-based security system normally prevents applications from accessing each other’s memory. However, Memory-Mirror can easily work in conditions that exceed the isolation between applications. In particular, if a malicious application is active in the background while the recovery words are entered into the software wallet, the seed phrase can be instantly pulled from the shared cache. In order for the attack to occur, the user must have previously installed a malicious application on his device. Recently, the increase in the number of fake applications infiltrating the mobile market and the frequent uploading of APK files further increases the risk level.
Ledger Donjon researchers recommend that all users install system security updates without delay in order to be protected from this vulnerability, which may affect the security of mobile wallets.
Affected Devices and Precautions Taken
Ledger Donjon states that devices using Android versions 12, 13, 14 and 15 are open targets unless they install the March 2026 security patch. Google released the update for Pixel devices as of March 5. Samsung and Xiaomi brands are expected to distribute patches by the end of the month. Any Android device that has not yet received the .0326 extension update is still vulnerable.
Trust Wallet and MetaMask, two of the most popular software wallets in the world, have temporarily suspended the Import with Seed feature on Android platforms. Trust Wallet, which ranks first in the hot wallet rankings published by CoinGecko today, followed by MetaMask, has disabled this critical function until the user verifies the patch status of their devices. Similarly, Phantom wallet also stopped the seed login process on Android.
What Should Users Do?
Users who store crypto on Android should go to the Software Update section in the Settings section and check whether their devices have received the March 2026 security update. If the device version ends with .0326, it means that the necessary security patch has been applied. If the device manufacturer has not yet offered the relevant update, not entering a new seed from this device is shown as a critical step for security.
Ledger’s security lab also emphasizes that entering the word recovery into any software wallet on mobile carries risks beyond Memory-Mirror. On-screen keyboards, applications that access the clipboard, and screen recorders are among the potential threats that can capture seed information. Ledger hardware wallets are excluded from this vulnerability; because the recovery word is kept only in the special security chip of the hardware without being transferred to the Android operating system at any stage.
Users are advised not to enter any recovery words on their mobile devices without installing the update on their devices. Since Memory-Mirror directly targets the wallet’s core protection mechanism, such attacks can radically compromise digital assets.
