Google Launches Android Intrusion Logging to Stop Sophisticated Spyware

Google rolls out Intrusion Logging for Android, a forensic opt-in feature built with Amnesty International to detect and expose sophisticated spyware attacks targeting journalists and activists.

For the better part of a decade, investigating commercial spyware on Android devices was a task that fell almost entirely to forensic specialists working well after the damage was done. The tools they had were inadequate for the job — short-lived log files not designed for intrusion detection, easily overwritten by the same malware they were meant to expose.Google has moved to change that.The company began rolling out a new opt-in security feature called Intrusion Logging on Tuesday, built into Android's Advanced Protection Mode. The feature was developed over the past year in direct partnership with Amnesty International's Security Lab and Reporters Without Borders, two organizations that have been at the front lines of investigating commercial spyware deployed against journalists, activists, and human rights defenders worldwide. It marks the first time a major device manufacturer has released a feature built specifically to help forensic researchers detect and investigate sophisticated attacks on mobile devices.The core function is straightforward in purpose. Intrusion Logging creates a dedicated log that records security-relevant events on the device once per day — including when the phone was unlocked, when applications were installed or removed, what websites and servers the device connected to, connections to Android Debug Bridge, and any attempts to delete the logs themselves. Those logs are end-to-end encrypted and uploaded to the user's Google account in the cloud. The cloud storage is a deliberate design choice: keeping the logs off the device means a sophisticated piece of spyware that achieves system-level access cannot simply erase the evidence of its own intrusion.Only the user can access and choose to share them with investigators — Google itself cannot read the contents.Amnesty International, which acted as a design partner throughout development, described the result in stark terms, calling Intrusion Logging a fundamental shift in the amount and quality of forensic data available on Android devices. The organization noted that until now forensic analysis had relied on logs that were never designed for intrusion detection — records that did not remain on the device for long and were frequently overwritten, effectively erasing potential evidence of attacks. Donncha Ó Cearbhaill, head of Amnesty's Security Lab, noted that Android's architectural constraints had long made it harder to analyze system logs for signs of compromise compared to iOS, a gap this feature directly addresses.The need for such a tool is well-documented in the field. Commercial spyware has expanded from an intelligence agency instrument into a broader surveillance industry, with products like NSO Group's Pegasus deployed against civilian targets across multiple continents. Attacks have also grown more layered. In one documented case in Serbia, authorities used Cellebrite — a law enforcement forensic hardware tool — to unlock a device and then installed spyware to maintain ongoing surveillance of the target. Intrusion Logging is specifically designed to leave a structured record of exactly those kinds of multi-stage intrusions.To make the feature accessible to investigators, Amnesty International simultaneously released updated versions of two forensic tools alongside Google's rollout. AndroidQF, a forensic acquisition tool, has been updated to automate the collection of Intrusion Logging data directly from a device. The Mobile Verification Toolkit, widely known as MVT, has been updated to support initial analysis of those logs. Together, the tools are designed to help security labs identify new spyware variants faster by examining the behavioral signatures and error patterns that targeted attacks typically generate.The feature carries real limitations worth noting. Intrusion Logging currently runs only on Google's own Pixel devices, and only those running the Android 16 December update or newer. The device must be linked to a Google account. The logs can include sensitive data — browser navigation history and server connections among them — which means sharing them with an investigator requires careful handling. Advanced Protection Mode, of which Intrusion Logging is a part, is explicitly designed for individuals who face elevated risk: journalists, political dissidents, activists, and others with concrete reasons to believe they may be targets.Eugene Liderman, Google's director of Android security and privacy, described the feature as enabling persistent and privacy-preserving forensics logging to allow for investigation of devices in the event of a suspected compromise. The announcement came alongside a broader set of Android security updates, including a new verified financial calls feature aimed at banking scam protection and expanded privacy controls around how apps request access to contacts.Whether Intrusion Logging will shift the forensic balance meaningfully against well-resourced spyware vendors is a question researchers will spend months answering. The surveillance industry has historically adapted quickly to new detection mechanisms. What the feature establishes regardless is something the mobile security community has long called for: a forensic baseline actually designed for finding intrusions, rather than one that investigators have had to bend to that purpose long after the fact.