Google's Intrusion Logging for Android Enhances Spyware Detection for Investigators

Google has introduced Intrusion Logging, a new forensic feature for Android devices, designed to detect and log sophisticated attacks, including those from spyware vendors. The feature was announced on Tuesday and marks a significant step in digital forensics, according to Amnesty International.

The tech giant began developing Intrusion Logging last year as part of Android Advanced Protection Mode. It is now being rolled out to users.

"The new intrusion logging feature promises to be a major aid to digital forensics researchers undertaking investigations into sophisticated attacks on Android devices," Amnesty International stated in a technical briefing on Tuesday. "This is the first time a major device vendor has released a feature specifically to enhance the ability to forensically detect and respond to advanced digital threats."

Intrusion Logging records security incidents such as device unlocking, physical access, and spyware installation or removal. Previously, independent investigators relied on short-lived log files not intended for forensic use, making detection of advanced threats more difficult.

Google’s annual security and privacy update for Android highlights the feature’s development alongside partners like Amnesty International and Reporters Without Borders. The update also introduces new protections against banking scam calls, additional suspicious activity detection, and enhanced privacy safeguards.

Eugene Liderman, director of Android security and privacy, explained the feature’s purpose:

"Intrusion Logging enables persistent and privacy-preserving forensics logging to allow for investigation of devices in the event of a suspected compromise."

Intrusion Logging joins other industry efforts to combat sophisticated attacks, such as Apple’s Lockdown Mode and Memory Integrity Enforcement, and WhatsApp’s Strict Account Settings.

Donncha Ó Cearbhaill, head of the Amnesty International Security Lab, praised the feature:

"Intrusion Logging promises to help shift the balance to the advantage of defenders, providing civil society investigators with the key evidence needed to detect and expose some of the most advanced attacks facing journalists and activists."

He added,

"With Intrusion Logging, Google is the first major vendor to proactively address the challenge of detecting advanced attacks on devices. By making more consensual forensic data available for researchers, we can make life more difficult for attackers and help civil society seek accountability when their devices are unlawfully targeted by spyware and mobile data extraction tools."

However, Intrusion Logging has limitations. It requires Android 16 and is currently available only on Pixel devices. The device must be linked to a Google account, and logs may include sensitive data, such as browser navigation history, necessitating secure sharing. Ó Cearbhaill noted that attackers could potentially delete logs, though future updates aim to strengthen protections against this.

Despite these constraints, the feature is expected to significantly improve the detection of advanced attacks targeting high-risk users.