Google Launches Android Intrusion Logging to Help Uncover Spyware Attacks

Google has quietly begun rolling out a new security tool called Android Intrusion Logging, designed to give researchers and at-risk users a clearer picture of potential spyware infections. This opt-in feature, part of the existing Advanced Protection Mode, marks the first time a smartphone manufacturer has introduced a specific mechanism to aid in the forensic investigation of digital espionage.

What Is Android Intrusion Logging?

Intrusion Logging creates a dedicated log that records system errors and other anomalies, capturing evidence when something goes wrong with the software. Unlike standard system logs, which are often overwritten quickly and not built for security analysis, this new log is stored encrypted in the user’s Google account in the cloud. This approach prevents spyware from deleting traces of an attack, as the cloud copy remains intact.

According to Amnesty International, which collaborated with Google on the feature, this represents “a fundamental shift in the amount and quality of forensic data available on Android devices.” Previously, researchers struggled to detect compromises because logs were temporary and easily erased. Now, with cloud-based storage, investigators have a more reliable source of evidence.

How Does Intrusion Logging Work in Practice?

Once enabled, Intrusion Logging tracks a range of events that could indicate a spyware attack. These include: when the phone was unlocked, when apps were installed or uninstalled, which websites and servers the device connected to, and whether someone used Android Debug Bridge (ADB) — a tool that allows a computer or forensic device like Cellebrite to connect to the phone. The feature also logs any attempts to delete these records, which could signal an effort to hide evidence.

Building on this, the logs help investigators understand the timeline of an attack. For example, they can show if a phone was forcibly unlocked and connected to a forensics tool, or if it accessed a malicious website designed to install spyware. This data is encrypted end-to-end, meaning only the user can access and share it with researchers; Google itself cannot view the logs.

Who Should Use This Feature?

Google designed Advanced Protection Mode and Intrusion Logging for people who face heightened digital threats, such as human rights defenders, activists, journalists, and dissidents. These groups are often targets of government spyware or police forensic tools that attempt to extract data from devices. The feature is similar to Apple’s Lockdown Mode, which has proven effective against spyware — Apple stated in March that it has never detected a successful attack on users with Lockdown Mode enabled.

However, there are limitations. Currently, Intrusion Logging requires Android 16 or newer, works only on Google Pixel devices, and needs a linked Google account. Some users may also be wary of sharing browser navigation history with investigators. Despite these constraints, the feature is a significant step forward for spyware detection on Android.

Amnesty’s Role and Expert Insights

Donncha Ó Cearbhaill, head of Amnesty’s Security Lab, told TechCrunch that Android’s previous technical limits made it difficult to deeply analyze system logs. “These limits have meant we’ve been unable to reliably detect known attacks against Android,” he said. With Intrusion Logging, researchers now have a better chance of identifying and understanding spyware campaigns.

Amnesty has published step-by-step instructions on how to download and share logs if a user suspects they have been targeted. This complements existing threat notification systems from Google, Apple, and Meta, which have been vital in exposing abuse cases.

Why This Matters for the Future of Mobile Security

The rollout of Android Intrusion Logging is a direct response to the growing threat of commercial spyware and forensic tools. In at least one documented case in Serbia, authorities used a Cellebrite device to unlock a phone and then installed spyware for ongoing surveillance. This feature aims to make such attacks more visible and harder to conceal.

For users concerned about privacy, the encrypted cloud storage ensures that only they control the data. For researchers, the new logs provide a forensic trail that was previously unavailable. As Google continues to refine the feature, it could become a standard tool for anyone at risk of digital espionage.

Interested in learning more about protecting your device? Check out our guide on how to enable Android Advanced Protection or read about the difference between spyware and stalkerware.