
The company didn’t provide the exact reasons behind this innovation, but, apparently, it makes it more difficult for cyber forensic tools to extract data from devices.
It must be noted that back in January 2024, developers of the privacy- and security-focused GrapheneOS recommended to add an automatic restart feature to Android to make the exploitation of certain vulnerabilities in the firmware of such devices as Google Pixel and Samsung Galaxy more difficult. According to experts, forensic specialists use these vulnerabilities to extract information from devices.
The new auto-restart feature was introduced in the latest Google Play services update (25.14) in the Security & Privacy section.
“[The update] enables a future optional security feature, which will automatically restart your device if locked for 3 consecutive days,” – Google.
The point is that a spontaneous restart switches the device from the After First Unlock (AFU) state (user data are unencrypted and available for extraction) to the Before First Unlock (BFU) state (most user data remain encrypted and inaccessible until the device is first unlocked).
Stolen devices and those seized by law enforcement authorities are usually in the AFU state; as a result, experts can retrieve at least some data even from locked devices.
In January 2024, GrapheneOS developers recommended to add an auto-restart mechanism to Android devices to reboot such systems after 18 hours of inactivity and return them to the BFU state. Now Google is actually implementing such a feature, although the inactivity period is 72 hours instead of 18 hours.
It’s worth reminding that, last year, cyber forensic experts were surprised with the strange behavior of iPhone devices that restarted by themselves if not connected to a cellular network for some time. Later, it was confirmed that Apple developers have introduced a protective auto-restart feature in iOS 18.1.

2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →