Google is rolling out a new opt-in feature for Android aimed at helping security researchers investigate spyware attacks.
The feature, called Intrusion Logs, is part of Android's Advanced Protection Mode, which Google launched last year, a special opt-in security mode that enables certain features to make your device harder to hack. Advanced Protection Mode is designed to counter government spyware attacks and crack down on forensic devices that attempt to extract data from personal phones.
You can also combine these two types of attacks. In at least one case documented in Serbia, authorities used law enforcement forensic tools made by Cellebrite to unlock the device and install spyware as a further step to continue monitoring the target.
The intrusion logging rollout marks the first time a mobile phone maker has released a feature aimed at helping security researchers investigate spyware attacks. To accomplish this, Android Intrusion Logs creates a new type of log. This log records errors, gathers evidence when software issues occur, and provides visibility into suspected spyware attacks.
Amnesty International, which developed the feature in collaboration with Google, calls intrusion logging “a fundamental shift in the amount and quality of forensic data available on Android devices.”
“Until now, forensic analysis has relied on logs that were never designed for intrusion detection,” Amnesty International wrote in a blog post detailing how intrusion logging works. This meant that previous logs were not stored on devices for long periods of time and were often overwritten, effectively erasing any potential evidence of an attack, making them less useful to researchers.
Amnesty International's Security Lab Director Doncha Ó Carebail told TechCrunch that Android's technical limitations “make it difficult to closely analyze system logs and files for signs of compromise, unlike iOS.”
“These limitations mean that we cannot reliably detect known attacks on Android,” said Ó Cearbhaill, who has investigated dozens of spyware exploits around the world over the years.
Intrusion logs should improve your ability to better detect spyware attacks. Google announced this feature a year ago, but the company only introduced it now. Google said in a blog post on Tuesday that intrusion logs are “currently being rolled out to all devices running Android 16 December update or later.”
How intrusion logs work
Intrusion logs capture events related to security and potential intrusions. First, the feature creates and collects logs once a day and stores them encrypted in the user's Google Account in the cloud. Uploading logs to the cloud may prevent spyware from removing evidence of device compromise. The logs are also encrypted, so only you can access and share them with investigators, and Google cannot.
Events tracked by intrusion logs include: When the phone is unlocked. When applications are installed and uninstalled. Websites and servers that the phone connected to. Whether someone connected to the Android Debug Bridge (a tool that allows you to connect a computer or a device such as a forensic tool like Cellebrite to your Android device). Has anyone tried to delete logs related to these events? This could indicate an attempt to hide evidence of an attack.
In the event of a spyware attack, these logs can help investigators understand when and how someone's device may have been hacked or forcibly unlocked and connected to forensic tools or used to install spyware or stalkerware. The logs can also determine whether at some point your phone was connected to a malicious website that tried to hack the devices you visited, or accessed a server designed to extract data from your phone.
Contact Us Do you have more information about spyware attacks or spyware authors? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382) or on Telegram and Keybase @lorenzofb or by email.
Although an advance, intrusion logging has some limitations. Currently, in addition to requiring Advanced Protected Mode to be enabled, the feature requires the latest software version of Android, is only available on Google-manufactured Pixel devices, and the device must be linked to a Google account. Intrusion logs keep records of browser navigation history and connections, but some may be wary of sharing them with investigators.
Google says Advanced Protection Mode and Intrusion Logs are aimed at people it believes are at risk of attack from spyware or forensic devices, such as human rights defenders, activists, journalists, and dissidents. Advanced Protected Mode is similar to Lockdown Mode on Apple devices. This is also aimed at at-risk users and is considered an effective way to protect against spyware.
As of March, Apple said it had not detected a single successful attack against users with Lockdown Mode enabled. In 2023, security researchers at Citizen Lab said that lockdown mode actively blocked attempts to infect targets with NSO's spyware.
In a blog post, Amnesty International provides step-by-step instructions on how to download logs if you suspect or have been notified of being targeted by spyware. Apple, Google, and Meta have been sending threat notifications to users for years, and researchers say this is critical to detecting and exposing cases of fraud.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.