Google is rolling out a new opt-in feature in Android that aims to help security researchers investigate spyware attacks.
The feature is called “Intrusion Logging” and is part of Android’s Advanced Protection Mode, which Google launched last year, an opt-in special security mode that enables certain features with the goal of making the device harder to hack. Advanced Protection Mode is designed to counter government spyware attacks and police forensic devices that try to extract data from a person’s phone.
These two types of attacks can also be combined. In at least one documented case in Serbia, authorities used a law enforcement forensic tool made by Cellebrite to unlock a device, and then installed spyware as a further step to continue monitoring the target.
The rollout of Intrusion Logging is the first time a phone maker has launched a feature with the goal of helping security researchers investigate spyware attacks. To achieve that, Android’s Intrusion Logging creates a new type of log, which records errors and collects evidence when something goes wrong with the software, to provide visibility into suspected spyware attacks.
Amnesty International, which worked with Google to develop the feature, called Intrusion Logging “a fundamental shift in the amount and quality of forensic data available on Android devices.”
“Until now, forensic analysis has relied on logs that were never designed for intrusion detection,” Amnesty wrote in a blog post that explains in detail how Intrusion Logging works. That meant earlier logs were not that useful for researchers, as they did not remain on the device for long and were often overwritten, effectively erasing potential evidence of attacks.
Donncha Ó Cearbhaill, the head of Amnesty’s Security Lab, told TechCrunch that Android’s technical limits “have made it difficult to deeply analyze system logs and files for signs of compromise, unlike with iOS.”
“These limits have meant we’ve been unable to reliably detect known attacks against Android,” said Ó Cearbhaill, who has for years investigated dozens of cases of spyware abuse around the world.
The ability to better detect spyware attacks should improve with Intrusion Logging. Google announced the feature a year ago, but the company is deploying it only now. In a Tuesday blog post, Google said that Intrusion Logging “is currently rolling out to all devices running the Android 16 December update and newer.”
How Intrusion Logging works
Intrusion Logging captures events related to security and potential intrusions. For starters, the feature creates and collects logs once a day and stores them encrypted in a users’ Google account in the cloud. Uploading logs to the cloud potentially prevents spyware from deleting evidence of a device compromise. The logs are also encrypted so that only the user can access and share the logs with investigators, and Google cannot access them.
Among the events that Intrusion Logging keeps track of, includes: when the phone was unlocked; when applications have been installed and uninstalled; what websites and servers the phone connected to; whether someone connected to Android Debug Bridge, a tool that allows a computer or a device such as a forensic tool like Cellebrite to connect to an Android device; and, whether someone tried to delete the logs related to these events, which could indicate an attempt to hide evidence of an attack.
In the event of a spyware attack, these logs can help investigators understand when and how authorities may have hacked or forcibly unlocked someone’s device and connected it to a forensics tool, or used to install spyware or stalkerware. The logs can also determine if a phone at some point connected to a malicious website that tries to hack the visiting device, or accessing servers designed to extract data from the phone.
Contact Us
Do you have more information about spyware attacks, or spyware makers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.
While it is a step forward, Intrusion Logging has some limits. For now, along with having to enable Advanced Protection Mode, the feature requires Android’s latest software version, is only available for Google-made Pixel devices, and that the device has to be linked with a Google account. Intrusion Logging keeps records of browser navigation history and connections, which people may be wary of sharing with investigators.
Google says Advanced Protection Mode and Intrusion Logging are for people who think they may be at risk of attacks done with spyware and forensic devices, such as human rights defenders, activists, journalists, and dissidents. Advanced Protection Mode is similar to Lockdown Mode for Apple devices, which was also meant for at-risk users and is seen as an effective way to protect against spyware.
As recently as March, Apple said it has never detected a successful attack against users who have Lockdown Mode enabled. In 2023, security researchers at Citizen Lab said Lockdown Mode actively blocked an attempt to infect a target with NSO’s spyware.
In its blog post, Amnesty has included step-by-step instructions on how to download the logs if a user suspects or has been notified that they have been targeted with spyware. Apple, Google, and Meta have sent threat notifications to users for years, which researchers have said have been crucial to finding and exposing cases of abuse.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
