Android devices will restart every three days to protect user data

📟 News

Date: 16/04/2025

Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an encrypted state.

The company didn’t provide the exact reasons behind this innovation, but, apparently, it makes it more difficult for cyber forensic tools to extract data from devices.

It must be noted that back in January 2024, developers of the privacy- and security-focused GrapheneOS recommended to add an automatic restart feature to Android to make the exploitation of certain vulnerabilities in the firmware of such devices as Google Pixel and Samsung Galaxy more difficult. According to experts, forensic specialists use these vulnerabilities to extract information from devices.

The new auto-restart feature was introduced in the latest Google Play services update (25.14) in the Security & Privacy section.

“[The update] enables a future optional security feature, which will automatically restart your device if locked for 3 consecutive days,” – Google.

The point is that a spontaneous restart switches the device from the After First Unlock (AFU) state (user data are unencrypted and available for extraction) to the Before First Unlock (BFU) state (most user data remain encrypted and inaccessible until the device is first unlocked).

Stolen devices and those seized by law enforcement authorities are usually in the AFU state; as a result, experts can retrieve at least some data even from locked devices.

In January 2024, GrapheneOS developers recommended to add an auto-restart mechanism to Android devices to reboot such systems after 18 hours of inactivity and return them to the BFU state. Now Google is actually implementing such a feature, although the inactivity period is 72 hours instead of 18 hours.

It’s worth reminding that, last year, cyber forensic experts were surprised with the strange behavior of iPhone devices that restarted by themselves if not connected to a cellular network for some time. Later, it was confirmed that Apple developers have introduced a protective auto-restart feature in iOS 18.1.

Related posts:
2025.02.01 — Critical RCE vulnerability fixed in Cacti

A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…

Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO

According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…

Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update

Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…

Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign

According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…

Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic

Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…

Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework

According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…

Full article →
2025.01.29 — Google to disable Sync in older Chrome versions

Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…

Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates

The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…

Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies

GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…

Full article →