A newly-discovered zero-day security vulnerability in the Android operating system’s WebView component is putting millions of cryptocurrency users at risk by enabling malicious background apps to steal sensitive wallet recovery phrases in just three seconds. Security experts at Ledger revealed that attackers can exploit the flaw to instantly extract the 24-word seed phrases needed to access software crypto wallets—potentially exposing funds to swift theft.
Details of the Memory-Mirror Vulnerability
The vulnerability, dubbed “Memory-Mirror” by the Ledger Donjon security team, arises from how Android’s System WebView processes internet content within apps. In essence, a malicious app running in the background can siphon off secret data stored in a target wallet app’s supposedly isolated memory by leaking it to another cache it can access. Notably, during an attack, users notice nothing amiss—no unusual activity occurs on the affected wallet app while the attacker silently copies any seed phrase entered into the device.
While Android’s security architecture relies on isolating apps from one another, experts warn the Memory-Mirror bug circumvents these protections under certain conditions. Specifically, if a user enters a new recovery phrase into a wallet app while a rogue app lurks in the background, the sensitive seed can be snatched instantly from shared cache memory. Successful exploitation, however, requires the user to have previously installed a malicious application. The risk is heightened by the recent surge in counterfeit apps infiltrating app marketplaces and widespread installation of APK files from third-party sources.
Ledger Donjon researchers strongly advise all users to install security updates without delay in order to prevent this vulnerability from endangering mobile wallet security.
Affected Devices and Industry Response
According to Ledger Donjon, Android devices running versions 12, 13, 14, and 15 remain vulnerable unless the March 2026 security patch is installed. Google issued an update on March 5 for Pixel devices, while Samsung and Xiaomi are expected to distribute the fix by the end of the month. Any device that has not yet received the update ending in .0326 continues to be exposed to risk.
In response to the threat, leading software wallets Trust Wallet and MetaMask have temporarily suspended their “Import Seed” functions on Android. Trust Wallet, currently ranked the top hot wallet by CoinGecko, and MetaMask are blocking seed imports until they can confirm users’ devices have been patched. Similarly, Phantom has also halted seed-based logins on Android as a precautionary measure.
Steps Users Should Take
Anyone storing crypto on Android is urged to check for the March 2026 security patch by navigating to the Software Update section in device Settings. Devices with a version number ending in .0326 have received the critical fix. If a manufacturer has yet to distribute the update, experts recommend abstaining from entering new seed phrases on that device until its security can be assured.
Ledger’s security lab further warns that entering recovery phrases into any mobile software wallet carries additional risks beyond Memory-Mirror. On-screen keyboards, clipboard-accessing apps, and screen recording utilities could also expose sensitive seed information. Hardware wallets from Ledger are unaffected by this vulnerability, since recovery phrases never leave the encrypted hardware chip, remaining isolated from the Android operating system at all times.
Users are advised not to input seed phrases into mobile devices unless security updates have been applied. As Memory-Mirror specifically targets the core protective mechanisms of wallet apps, this class of attack can severely compromise users’ digital assets if left unaddressed.
