Google is introducing a new optional feature in Android aimed at assisting security researchers in examining spyware incidents.

This feature, termed “Intrusion Logging,” is part of Android’s Advanced Protection Mode, introduced last year. This opt-in security mode activates specific functionalities to enhance device security against hacking attempts. Advanced Protection Mode seeks to mitigate government spyware attacks and forensic tools used by law enforcement to extract information from individuals’ phones.

These two forms of attacks can occur in tandem. In at least one reported instance in Serbia, authorities utilized a forensic tool from Cellebrite to access a device, subsequently installing spyware to maintain surveillance on the target. 

The release of Intrusion Logging marks the first occasion a device manufacturer has developed a feature specifically intended to aid security researchers in probing spyware incidents. To make this happen, Android’s Intrusion Logging generates a novel log type that catalogs errors and gathers evidence when irregularities occur within the software, offering insights into suspected spyware attacks. 

Amnesty International, which collaborated with Google to create this feature, described Intrusion Logging as “a significant transformation in the quantity and quality of forensic information accessible on Android devices.”

“Historically, forensic investigations relied on logs that were never intended for intrusion detection,” Amnesty noted in a blog entry providing detailed information on how Intrusion Logging operates. Consequently, previous logs lacked utility for researchers as they were stored temporarily and frequently overwritten, effectively obliterating any potential evidence of attacks.

Donncha Ó Cearbhaill, head of Amnesty’s Security Lab, indicated to TechCrunch that Android’s technical constraints “have hindered in-depth analysis of system logs and files for indications of compromise, unlike iOS.”

“These constraints have prevented us from reliably recognizing known threats against Android,” stated Ó Cearbhaill, who has investigated numerous spyware abuse cases globally over the years. 

The capability to more effectively recognize spyware attacks is expected to enhance with Intrusion Logging. Google announced this feature a year ago, but is now initiating its deployment. In a blog post on Tuesday, Google stated that Intrusion Logging “is currently being rolled out to all devices operating on the Android 16 December update and newer.”

How Intrusion Logging operates

Intrusion Logging monitors events related to security and possible breaches. Initially, the feature compiles and records logs daily, storing them securely in a users’ Google account in the cloud. By uploading logs to the cloud, it potentially shields evidence of device compromise from being erased by spyware. The logs are also encrypted to ensure that only the user can access them and share them with investigators, preventing Google from accessing the data.

The events tracked by Intrusion Logging include instances of phone unlocking; installation and uninstallation of applications; connections made to websites and servers; whether someone connected via Android Debug Bridge, a tool that enables a computer or forensic device like Cellebrite to link to an Android device; and efforts to erase logs associated with these events, which may suggest attempts to conceal evidence of an attack. 

In the context of a spyware breach, these logs can assist investigators in understanding when and how authorities might have compromised or forcibly accessed an individual’s device, linked it to a forensic tool, or used it to implant spyware or stalkerware. The logs may also reveal if a device connected to a malicious site aimed at exploiting visiting devices or accessed servers intended for data extraction from the phone. 

Although it’s a positive development, Intrusion Logging has certain limitations. Currently, in addition to needing to activate Advanced Protection Mode, this feature requires the latest Android software version, is exclusively available for Google-produced Pixel devices, and necessitates linking the device to a Google account. Intrusion Logging maintains records of browsing history and connections, which some individuals may hesitate to share with investigators. 

Google asserts that Advanced Protection Mode and Intrusion Logging cater to individuals who might be vulnerable to spyware and forensic device attacks, including human rights advocates, activists, journalists, and dissidents. Advanced Protection Mode is akin to Lockdown Mode for Apple devices, also designed for high-risk users and regarded as an effective strategy against spyware. 

As recently as March, Apple stated it has never found a successful attack against users who enabled Lockdown Mode. In 2023, security researchers from Citizen Lab reported that Lockdown Mode successfully thwarted an attempt to compromise a target with NSO’s spyware. 

In its blog post, Amnesty provided comprehensive instructions on retrieving the logs if a user suspects or has been alerted to being targeted by spyware. Apple, Google, and Meta have been notifying users about threats for years, which researchers indicate has been vital for identifying and exposing abuse cases.