[U: Official statement] Is your Pixel safe? New exploit puts Google phones at risk

08:46 am (IST): In a statement to PiunikaWeb, a Google spokesperson said the following:

GrapheneOS is a third-party mobile operating system based on the Android Open Source Project. GrapheneOS reported these issues to our Android Vulnerability Reward Program (VRP) on January 2. We are in the process of reviewing and determining next steps.

So, thanks to the GrapheneOS team, Google has been made aware of the vulnerability since the beginning of this year and is investigating ways to resolve it, which is great news for the security of Pixel users. There is still no similar statement from Samsung, the other affected Android brand, so the steps they are taking are unknown.

Original article follows:

A team of researchers have discovered an exploit in Android that especially affects Google Pixel and Galaxy phones. Although more specific details have not been offered in this regard (perhaps to not facilitate its use), they did reveal that rebooting the smartphone from time to time is an effective method against it.

The researchers who found the exploit are from the GrapheneOS team, an AOSP fork especially focused on security and privacy. According to the report, they have already updated their ‘auto-reboot’ option so that it automatically restarts the smartphone if you have not used it for 18 hours, and users can set a time-frame as small as 10 minutes if they wish.

Also, they claim that the vulnerability is already being exploited by forensic teams that require access to the content of locked devices. That said, those who want to try to use the exploit need physical access to the device in question, and it must have been unlocked at least once after a reboot. Those devices that have been restarted but not unlocked will not be affected, since the phone does not load all the content until you unlock it (they are in the so-called ‘rest’ state).

So, the idea of auto-reboot is to make the device automatically enter ‘rest’ state while you are not using it until you use it again, preventing situations such as being a potential target of an attack of this type after losing your phone. The OS also checks if the phone is already in ‘rest’ state to prevent automatic reboots in those cases.

It’s noteworthy that GrapheneOS already had the ‘auto-reboot’ option even before discovering the exploit that is affecting Google Pixel and Samsung Galaxy devices, but the default setting was 72 hours (now 18 hours). In any case, they recommend that the Android team implement more necessary measures against it. Additionally, GrapheneOS is only for some Pixel devices, so the team isn’t sure how Samsung is handling the matter.

While an ‘auto-reboot’ option is not popular among manufacturers, Samsung does include something similar in its devices, but Pixel phones lack this. The GrapheneOS security team added that, for greater protection against these types of ‘physical’ or non-remote attacks, it will add options such as blocking the addition of new USB-C peripherals while the device is locked.

Source