Google is rolling out a new Android feature designed to help security researchers catch government spyware in action. The tool addresses a growing threat as authorities worldwide increasingly use commercial spyware and forensic devices to monitor activists, journalists, and dissidents.
The feature, called Intrusion Logging, is part of Android’s Advanced Protection Mode and represents the first time a phone maker has built a tool specifically to help investigators study spyware attacks. Until now, researchers have struggled to gather solid evidence when Android devices get compromised.
A new weapon against digital surveillance
Intrusion Logging creates detailed records of suspicious activity on Android devices. The feature stores these logs encrypted in users’ Google accounts, making it harder for attackers to delete evidence of their intrusion.
Amnesty International, which worked with Google to develop the tool, called it “a fundamental shift in the amount and quality of forensic data available on Android devices.” The human rights group has investigated dozens of spyware cases worldwide and knows firsthand how hard it is to prove digital attacks happened.
“Until now, forensic analysis has relied on logs that were never designed for intrusion detection,” Amnesty explained. Previous Android logs didn’t stick around long and often got overwritten, wiping away potential evidence.
What the feature tracks
Intrusion Logging monitors several key activities that could indicate an attack:
- When the phone was unlocked
- App installations and removals
- Websites and servers the device connected to
- Connections to Android Debug Bridge, a tool used by forensic devices like Cellebrite
- Attempts to delete these activity logs
This information can help researchers piece together how and when someone’s device was compromised. For example, the logs might show that authorities used a forensic tool to unlock a phone, then installed spyware to continue monitoring the target – a technique documented in at least one case in Serbia.
Real-world impact for at-risk users
The feature targets people who face heightened digital threats: human rights defenders, activists, journalists, and political dissidents. These groups have become prime targets for commercial spyware made by companies like NSO Group and surveillance tools used by law enforcement.
Google’s Advanced Protection Mode works similarly to Apple’s Lockdown Mode, which has proven effective against spyware attacks. Apple said in March that it has never detected a successful attack against users with Lockdown Mode enabled. In 2023, researchers confirmed that Lockdown Mode blocked an attempt to install NSO’s Pegasus spyware.
The logs upload to the cloud once daily and remain encrypted so only users can access them. Google cannot read the logs, giving users control over whether to share evidence with investigators.
Current limitations
Intrusion Logging has some restrictions that limit its immediate impact. Users must:
- Enable Advanced Protection Mode
- Run Android 16 December update or newer
- Use a Google Pixel device
- Link their device to a Google account
The feature also tracks browsing history and network connections, which some users might hesitate to share with investigators for privacy reasons.
Despite these limits, the tool fills a critical gap in mobile security research. Donncha Ó Cearbhaill from Amnesty’s Security Lab noted that Android’s technical restrictions “have made it difficult to deeply analyze system logs and files for signs of compromise, unlike with iOS.”
Amnesty has published step-by-step instructions for users who suspect they’ve been targeted with spyware. The organization emphasized that threat notifications from companies like Apple, Google, and Meta have been crucial for exposing surveillance abuse worldwide.