
The company didn’t provide the exact reasons behind this innovation, but, apparently, it makes it more difficult for cyber forensic tools to extract data from devices.
It must be noted that back in January 2024, developers of the privacy- and security-focused GrapheneOS recommended to add an automatic restart feature to Android to make the exploitation of certain vulnerabilities in the firmware of such devices as Google Pixel and Samsung Galaxy more difficult. According to experts, forensic specialists use these vulnerabilities to extract information from devices.
The new auto-restart feature was introduced in the latest Google Play services update (25.14) in the Security & Privacy section.
“[The update] enables a future optional security feature, which will automatically restart your device if locked for 3 consecutive days,” – Google.
The point is that a spontaneous restart switches the device from the After First Unlock (AFU) state (user data are unencrypted and available for extraction) to the Before First Unlock (BFU) state (most user data remain encrypted and inaccessible until the device is first unlocked).
Stolen devices and those seized by law enforcement authorities are usually in the AFU state; as a result, experts can retrieve at least some data even from locked devices.
In January 2024, GrapheneOS developers recommended to add an auto-restart mechanism to Android devices to reboot such systems after 18 hours of inactivity and return them to the BFU state. Now Google is actually implementing such a feature, although the inactivity period is 72 hours instead of 18 hours.
It’s worth reminding that, last year, cyber forensic experts were surprised with the strange behavior of iPhone devices that restarted by themselves if not connected to a cellular network for some time. Later, it was confirmed that Apple developers have introduced a protective auto-restart feature in iOS 18.1.

2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →