Read update
Security researchers from the privacy and security-focused custom ROMGrapheneOShave found a firmware vulnerability in Android. To reduce the window of opportunity for this and other, yet-to-be-discovered vulnerabilities, GrapheneOS already offers an automatic reboot option, but suggests improvements to the reboot process itself on Android to further mitigate attacks on other devices.
While GrapheneOS hasn’t made details about the discovered exploit public yet, the security researchers say that it is already being exploited by forensic companies with physical access to devices today (via Bleeping Computer). Both Pixel and Galaxy phones are vulnerable. The attack can only be carried out on devices that are not at rest, meaning those that have been unlocked at least once after they were booted. Devices that were rebooted and haven’t been unlocked yet are safe from this attack.
GrapheneOS automatically reboots phones if they haven’t been used for 18 hours by default, reducing the window of opportunity to break in and obtain data using the firmware exploit or other attacks that rely on devices in their not-at-rest state. Users can set the window to another value if they prefer, going as low as 10 minutes.
Before it uncovered the exploit, GrapheneOS only auto-rebooted after 72 hours of inactivity, but it has since tweaked the default setting to be lower. To prevent any problems from cropping up with the shorter window, devices will now also only start the reboot timer again once the device has first been unlocked after rebooting.
While a phone is at rest, only a handful of services are allowed to run in the background. you may still receive phone calls, SMS messages, and alarms from your default clock app, but you won’t get notifications from most third-party apps.
To make attacks like this harder, it would likely make sense for Google and other manufacturers to introduce similar auto-reboot features. Some manufacturers, among them Samsung and OnePlus, already offer optional reboots at set times, but an auto-reboot timer like GrapheneOS offers isn’t widespread.
Google Pixel phones don’t support any sort of auto-reboot option in their stock firmware, which is a questionable omission based on these findings. Regularly rebooting your phone is a good idea in the first place toensure that it keeps running smoothly, but doing it manually won’t help if you lose your phone while it’s in its not-at-rest state.
GrapheneOS also says it proposed new security measures to Google to further prevent attacks like this, such as fully emptying memory on boots (zero memory).
A Google spokesperson acknowledges that the company received the report: “GrapheneOS is a third-party mobile operating system based on the Android Open Source Project. GrapheneOS reported these issues to our Android Vulnerability Reward Program (VRP) on January 2. We are in the process of reviewing and determining next steps.”
GrapheneOS admits that it has mostly focused on protection from remote attacks and privacy-focused tweaks to Android, but the vulnerability it found made clear that physical protection is equally important. On top of existing features that make exploits harder, like auto-reboot and automatic blocking of new USB peripherals when the device is locked, the nonprofit plans to introduce more measures that further prevent physical exploits.
Correction Jan 16, 03:34 AM ET:We originally stated that GrapheneOS was planning to block USB accessories when a device is locked, but this measure has been in place for a long time. We’ve also made clear that GrapheneOS is a nonprofit organization. The story has been updated accordingly.
UPDATE: 2025-08-23 14:13 EST BY MANUEL VONAU
Story updated with statement from Google
