Google is launching a new Android security feature to help detect spyware attacks

Google is rolling out a new opt-in feature for Android aimed at helping security researchers investigate spyware attacks.

This feature is called “Intrusion Logging” and is part of Android’s Advanced Sandbox, which Google launched last year, a special security mode that enables certain features with the goal of making a device more difficult to hack. Advanced Protection Mode is designed to counter government spyware attacks and police forensics that try to extract data from a person’s phone.

These two types of attacks can also be combined. In at least one documented case in Serbia, authorities used a law enforcement forensic tool made by Cellebrite to unlock a device, then installed spyware as a further step to continue monitoring the target.

The rollout of Intrusion Logging marks the first time a phone maker has launched a feature aimed at helping security researchers investigate spyware attacks. To achieve this, Android’s Intrusion Logging system creates a new type of log, which logs errors and collects evidence when something goes wrong in the software, to provide clear visibility into suspected spyware attacks.

Amnesty International, which worked with Google to develop the feature, called Intrusion Logging “a fundamental shift in the quantity and quality of forensic data available on Android devices.”

“Until now, forensic analysis has relied on logs that were never designed to detect intrusion,” Amnesty International wrote in a blog post detailing how intrusion logs work. This meant that previous logs were not useful to researchers, because they did not remain on the device for long, and were often overwritten, effectively erasing potential evidence of attacks.

Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, told TechCrunch that Android’s technical limitations “made it difficult to conduct a deep analysis of system logs and files for signs of compromise, unlike iOS.”

“These limitations meant we couldn’t reliably detect known attacks against Android,” said Ausserbhil, who for years has investigated dozens of cases of spyware abuse around the world.

The ability to better detect spyware attacks through intrusion logging must improve. Google announced this feature a year ago, but the company is only now rolling it out. In a blog post on Tuesday, Google said that intrusion logging is “currently rolling out to all devices running the Android December 16 update and later.”

How does stealth logging work?

Intrusion logging captures security-related events and potential intrusions. For starters, the feature creates and collects logs once a day and stores them encrypted in users’ Google account in the cloud. Uploading logs to the cloud will likely prevent spyware from deleting evidence that the device has been compromised. The logs are also encrypted so that only the user can access and share the logs with investigators, and Google cannot access them.

Among the events that Intrusion Logging tracks are when the phone is unlocked; When applications are installed and uninstalled; What locations and servers the phone connects to; Whether someone is connected to the Android Debug Bridge, a tool that allows a computer or a forensic tool like Cellebrite to communicate with an Android device; and whether someone has attempted to delete records relating to these events, which may indicate an attempt to hide evidence of the attack.

In the event of a spyware attack, these logs can help investigators understand when and how authorities compromised or forcibly opened someone’s device, linked it to a forensic tool, or used it to install spyware or stalkerware. The logs can also determine whether the phone was at some point connected to a malicious website trying to compromise the visiting device, or servers designed to extract data from the phone were accessed.

Although it is a step forward, intrusion logging has some limitations. Currently, besides needing to enable Advanced Security Mode, this feature requires the latest Android software version, is only available for Google-made Pixel devices, and the device must be linked to a Google account. Intrusive logging keeps records of browser navigation and communications history, which people may be wary of sharing with investigators.

Google says Advanced Protection Mode and Intrusion Logging are intended for people who believe they may be at risk of attacks using spyware and forensic hardware, such as human rights defenders, activists, journalists, and dissidents. Advanced Protection Mode is similar to the Lockdown mode for Apple devices, which was also intended for vulnerable users and is seen as an effective way to protect against spyware.

Last March, Apple said it had never detected a successful attack against users who had Lockdown Mode enabled. In 2023, security researchers at Citizen Lab said Lockdown Mode effectively prevented an attempt to infect a target with NSO spyware.

In its blog post, Amnesty International included step-by-step instructions on how to download the logs if a user suspects or is notified of being targeted by spyware. Apple, Google and Meta have sent threat notifications to users for years, which researchers say have been crucial in finding and detecting cases of abuse.