Google is rolling out a new opt-in feature on Android that aims to help security researchers investigate spyware attacks.
The feature is called “Intrusion Logging” and is part of Android Advanced protection functionthat Google released last year, a special security feature that turns on certain features aimed at making the device harder to hack. Advanced Protection Mode is designed to counter government spyware attacks and police forensics devices trying to extract data from a person’s phone.
These two types of attacks can also be combined. In at least one documented case in Serbia, authorities used a forensic law enforcement tool made by Cellebrite to unlock a device and then installed spyware as a further step to continue tracking the target.
The launch of Intrusion Logging is the first time a phone maker has launched a feature aimed at helping security researchers investigate spyware attacks. To achieve this, Android Intrusion Logging creates a new type of log file, which records errors and collects evidence when something goes wrong with the software, to provide visibility into suspected spyware attacks.
Amnesty International, which worked with Google to develop the feature, called intrusion logging “a fundamental change in the quantity and quality of forensic data available on Android devices.”
“Until now, forensic analysis has relied on logs that were never designed for intrusion detection.” Amnesty wrote in a blog post which explains in detail how intrusion logging works. This meant that previous logs were not as useful to researchers as they did not remain on the device for long and were often overwritten, effectively erasing potential evidence of attacks.
Donncha Ó Cearbhaill, head of the Amnesty Security Lab, told TechCrunch that Android’s technical limits “have made it difficult to deeply analyze logs and system files for signs of compromise, unlike iOS.”
“These limits mean we haven’t been able to reliably detect known attacks against Android,” said Ó Cearbhaill, who has spent years investigating dozens of spyware abuse cases around the world.
The ability to better detect spyware attacks should be improved by intrusion logging. Google announced the feature a year agobut the company is just now developing it. In a blog post on Tuesday, Google said that Intrusion Logging is “currently available on all devices running the December 16 Android update and later.”
How intrusion logging works
Intrusion logging records security-related events and potential intrusions. For starters, the feature creates and collects logs once a day and stores them encrypted in a user’s Google account in the cloud. Uploading logs to the cloud potentially prevents spyware from deleting device tampering evidence. The logs are also encrypted so that only the user can access and share the logs with researchers and Google cannot access them.
Among the events that Intrusion Logging tracks include: when the phone was unlocked; when apps are installed and uninstalled. which websites and servers the phone is connected to. either one is connected to the Android Debug Bridge, a tool that enables a computer or device such as a forensic tool like Cellebrite to connect to an Android device. and, if someone tried to delete the logs associated with those events, which could indicate an attempt to hide elements of an attack.
In the event of a spyware attack, these logs can help investigators understand when and how authorities may have hacked or brute force unlocked someone’s device and linked it to a forensics tool or used it to install spyware or stalkerware. The logs can also determine if a phone at some point is connected to a malicious website that tries to hack the visiting device or accesses servers designed to extract data from the phone.
Contact us
Do you have more information about spyware attacks or spyware manufacturers? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
Although it is a step forward, intrusion logging has some limits. Currently, along with enabling Advanced Protection, the feature requires the latest version of Android software, is only available for Google Pixel devices, and that the device must be connected to a Google account. Intrusion logging keeps records of browsing history and browser connections, which users may be wary of sharing with researchers.
Google says Advanced Protection Mode and Intrusion Logging are for people who believe they may be at risk from spyware and forensics attacks, such as human rights defenders, activists, journalists and dissidents. Advanced Protection Mode is similar to Lock Mode for Apple devices, which was also intended for at-risk users and is considered an effective way to protect against spyware.
As recently as March, Apple said it had never detected a successful attack against users with the lock feature enabled. In 2023, security researchers at Citizen Lab said the lock-down feature actively blocked an attempt to infect a target with NSO’s spyware.
In its blog post, Amnesty has included step-by-step instructions on how to download the logs if a user suspects or has been notified that they have been targeted with spyware. Apple, Google and Meta have sent threat alerts to users for years, which researchers say have been crucial to finding and uncovering abuse.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
