
The company didn’t provide the exact reasons behind this innovation, but, apparently, it makes it more difficult for cyber forensic tools to extract data from devices.
It must be noted that back in January 2024, developers of the privacy- and security-focused GrapheneOS recommended to add an automatic restart feature to Android to make the exploitation of certain vulnerabilities in the firmware of such devices as Google Pixel and Samsung Galaxy more difficult. According to experts, forensic specialists use these vulnerabilities to extract information from devices.
The new auto-restart feature was introduced in the latest Google Play services update (25.14) in the Security & Privacy section.
“[The update] enables a future optional security feature, which will automatically restart your device if locked for 3 consecutive days,” – Google.
The point is that a spontaneous restart switches the device from the After First Unlock (AFU) state (user data are unencrypted and available for extraction) to the Before First Unlock (BFU) state (most user data remain encrypted and inaccessible until the device is first unlocked).
Stolen devices and those seized by law enforcement authorities are usually in the AFU state; as a result, experts can retrieve at least some data even from locked devices.
In January 2024, GrapheneOS developers recommended to add an auto-restart mechanism to Android devices to reboot such systems after 18 hours of inactivity and return them to the BFU state. Now Google is actually implementing such a feature, although the inactivity period is 72 hours instead of 18 hours.
It’s worth reminding that, last year, cyber forensic experts were surprised with the strange behavior of iPhone devices that restarted by themselves if not connected to a cellular network for some time. Later, it was confirmed that Apple developers have introduced a protective auto-restart feature in iOS 18.1.

2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →