Google is rolling out a new Android security feature called Intrusion Logging, an opt-in tool designed to help security researchers and investigators analyze spyware attacks targeting mobile devices. The feature is part of Android’s Advanced Protection Mode, a security setting introduced last year to make devices more resistant to hacking attempts, including attacks involving government spyware and law enforcement forensic tools.
Advanced Protection Mode was created to strengthen device security for people considered at higher risk of surveillance, including journalists, activists, dissidents, and human rights defenders. Google said Intrusion Logging is now rolling out to devices running the Android 16 December update and newer.
How Intrusion Logging Works
Intrusion Logging creates a new category of system logs intended to record suspicious activity and preserve evidence connected to potential spyware attacks. The feature collects logs once per day and stores them in encrypted form within a user’s Google account in the cloud.
According to Google, the cloud storage approach is intended to stop spyware operators from deleting evidence from compromised devices. The company said the logs are encrypted in a way that prevents Google from accessing them, leaving only the user able to review or share the data with investigators.
The logs track a range of security-related events. These include when a device is unlocked, when applications are installed or removed, what websites and servers the phone connects to, and whether a device connects to Android Debug Bridge, commonly known as ADB.
ADB allows external devices, including forensic tools such as those developed by Cellebrite, to connect directly to Android devices. Intrusion Logging also records attempts to delete logs, which may indicate efforts to hide evidence of unauthorized access or surveillance activity.
Amnesty International Worked With Google On The Feature
Amnesty International collaborated with Google during the development of Intrusion Logging. The organization described the feature as “a fundamental shift in the amount and quality of forensic data available on Android devices.”
In a blog post explaining the feature, Amnesty said previous Android logs were not designed for intrusion detection and often disappeared quickly because they were overwritten by the system.
Donncha Ó Cearbhaill told TechCrunch that Android’s technical limitations had historically made spyware investigations more difficult compared with Apple devices.
“These limits have meant we’ve been unable to reliably detect known attacks against Android,” Ó Cearbhaill said.
He added that the new logging system should improve researchers’ ability to identify attacks involving spyware or forensic extraction tools.
The article referenced at least one documented case in Serbia where authorities allegedly used a forensic tool from Cellebrite to unlock a phone before installing spyware to continue monitoring the target.
Limits And Device Requirements
While Intrusion Logging adds new forensic capabilities, the feature currently comes with several restrictions.
Users must enable Advanced Protection Mode and install the latest Android software update. The feature is also limited to Google-made Pixel devices and requires users to connect the phone to a Google account.
Intrusion Logging records browser navigation history and server connection data, information that some users may hesitate to share with investigators despite the logs being encrypted.
Google said the feature is intended for individuals who believe they may face targeted surveillance attempts involving spyware or forensic tools.
The company’s approach resembles Apple’s Lockdown Mode, a security feature introduced for users at elevated risk of spyware attacks.
Apple stated in March that it had never identified a successful spyware attack against users who had Lockdown Mode enabled. In 2023, researchers at Citizen Lab reported that Lockdown Mode blocked an attempt to infect a device using spyware developed by NSO Group.
Amnesty’s blog post also includes instructions explaining how users can download and review Intrusion Logging data if they suspect their devices have been targeted.
The article noted that Apple, Google, and Meta have issued spyware threat notifications to users for several years, alerts that researchers say have helped identify and document surveillance campaigns.
Featured image credits: Wikimedia Commons
For more stories like it, click the +Follow button at the top of this page to follow us.