A New Layer of Defense for Android Users
Spyware attacks have become a growing threat, especially for journalists, human rights defenders, and political activists. These malicious programs can silently record calls, steal messages, and track locations. Until recently, detecting such intrusions on Android was nearly impossible because system logs were too short-lived or easily overwritten. Now Google has introduced a tool called Intrusion Logging, part of the Advanced Protection Mode, designed specifically to help security researchers and at-risk users uncover evidence of spyware. This feature marks the first time a phone manufacturer has built a capability with the explicit purpose of aiding spyware investigations. Let us explore how it works and five concrete ways it can flag potential compromises.
What Is Android Intrusion Logging?
Intrusion Logging is an opt-in feature that records security-related events on a device. Google announced the feature roughly a year ago, but it is only now rolling out to devices running the Android 16 December update or newer. The logs are generated once per day, encrypted, and stored in the user’s Google account cloud storage. Because the data lives off the device, spyware cannot easily delete the evidence after an attack. Only the account owner holds the encryption keys, so Google itself cannot read the logs. Amnesty International collaborated with Google on this development and described it as “a fundamental shift in the amount and quality of forensic data available on Android devices.”
The feature is part of Advanced Protection Mode, a special security tier aimed at users who face targeted threats from government-grade spyware and forensic extraction tools such as Cellebrite. In a documented case in Serbia, authorities used a Cellebrite device to unlock a phone and then installed spyware to continue surveillance. Intrusion Logging is designed to capture exactly that kind of multi-stage attack. Android intrusion logging thus provides a new forensic layer that earlier log systems lacked. According to Donncha Ó Cearbhaill, head of Amnesty’s Security Lab, Android’s technical constraints previously made it difficult to deeply analyze system logs for signs of compromise — unlike iOS. This new approach changes the game.
5 Ways Intrusion Logging Helps Detect Spyware
The logs capture a specific set of events. By analyzing these records, investigators and users can identify suspicious activity that points to spyware. Here are five critical detection methods made possible by the feature.
1. Tracking Device Unlocks to Detect Unauthorized Physical Access
Spyware often requires physical access to a device for installation. Attackers — whether law enforcement agencies or malicious actors — may forcibly unlock a phone using forensic tools like Cellebrite or even brute-force passcodes. Intrusion Logging records every instance when the phone is unlocked, including the method used if available. If a user notices an unlock event that occurred during a time when they were asleep or away from the device, that could indicate a break-in. For example, a human rights activist whose phone was seized at a border checkpoint can later check the logs to see exactly when the device was unlocked after the seizure. This timestamp creates a starting point for deeper investigation.
2. Monitoring App Installations and Uninstallations
Spyware often enters a device through a seemingly benign app or via a sideloaded package. Once installed, the malicious app may attempt to hide its presence. Intrusion Logging records all application installations and removals, along with timestamps. If a user sees an app that they never consciously installed — especially one that requests unusual permissions — it is a red flag. Conversely, if spyware tries to uninstall itself after detection, that event is also logged. The log can reveal the exact moment a suspicious application appeared, helping forensic analysts match it against known spyware samples.
3. Logging Network Connections to Malicious Servers
Many spyware strains communicate with command-and-control servers to upload stolen data or receive instructions. Intrusion Logging captures the websites and external servers the device connects to. Security researchers can cross-reference these IP addresses or domains against threat intelligence feeds. If a phone suddenly starts connecting to a known malicious server — perhaps one linked to a commercial spyware vendor like NSO Group or to a stalkerware operation — the log entry provides concrete evidence. This capability is especially valuable when spyware uses encrypted channels; even if the content is hidden, the connection itself is recorded. The logs can also reveal connections to phishing sites that attempt to trick the user into granting permissions.
4. Detecting Android Debug Bridge (ADB) Connections
ADB is a developer tool that allows a computer to control an Android device. Forensic extraction tools like Cellebrite rely on ADB to pull data or install software. When an ADB connection is initiated, Android logs the event under Intrusion Logging. Attackers may also use ADB to push spyware onto a device without the user’s knowledge. If a user sees an ADB connection that they did not initiate — for instance, while traveling or during a legal search — it strongly suggests a forensic intrusion. This is one of the most powerful indicators because spyware rarely leaves any other visible trace of the connection method. The log includes the timestamp, making it possible to reconstruct the entire attack timeline.
5. Recording Attempts to Delete Logs
Sophisticated spyware often tries to clean up after itself to avoid detection. Intrusion Logging specifically monitors whether anyone attempts to delete the logs. If a user sees entries that indicate log deletion attempts, that is itself a major red flag. Even if the spyware succeeds in erasing some records, the deletion attempt is logged in the cloud-based storage — safe from the attacker. This creates a trail of cover-up activity. For instance, if logs disappear frequently and new deletion events appear, the device may be compromised. This feature turns the attacker’s own cleanup behavior into incriminating evidence.
You may also enjoy reading: Court grants Apple’s request to seek Samsung docs.
Who Should Enable Intrusion Logging?
Google designed Advanced Protection Mode — and by extension Intrusion Logging — for people who face extraordinary threats. High-risk groups include journalists covering corruption, human rights defenders, political dissidents, and lawyers handling sensitive cases. Ordinary consumers are less likely to be targeted by government-grade spyware, but anyone concerned about stalkerware or corporate espionage can still benefit. The feature is optional and must be manually activated. For now, Intrusion Logging is available on Pixel devices running Android 16 December update or later, with a Google account and Advanced Protection Mode enabled.
This approach mirrors Apple’s Lockdown Mode, which was introduced for at-risk users on iOS. Apple has stated that it has never detected a successful attack against a device with Lockdown Mode active. While Android’s Advanced Protection Mode is relatively new, the addition of Intrusion Logging brings a significant detection capability that was missing.
Limitations and What Lies Ahead
Intrusion Logging is not a silver bullet. The feature only captures events once per day, which means a fast attack that installs spyware and deletes evidence within a few hours might leave gaps. Additionally, the logs are only useful if the user actively shares them with investigators — they do not automatically alert the user of an intrusion. At present, the feature is limited to Pixel devices and requires Advanced Protection Mode, which may deter some users due to its stricter security restrictions. Google has not announced plans to expand it to other Android brands, but the company recently committed to bringing Advanced Protection Mode to more devices in the future.
Despite these constraints, android intrusion logging represents a fundamental improvement. For years, Amnesty International and other researchers struggled to provide concrete proof of spyware attacks on Android because system logs were not designed for forensic retention. Now, with encrypted cloud storage and a targeted set of recorded events, the landscape is shifting. Journalists who suspect their phones have been compromised can finally share verifiable data with security teams. Law enforcement misuse becomes harder to cover up when tampering itself is logged.
The rollout of Intrusion Logging is still in its early stages. As more users adopt Advanced Protection Mode and Android 16 reaches a wider audience, the volume of forensic data will grow. This will likely lead to more spyware campaigns being exposed and, ideally, deter future attacks. Google’s collaboration with civil society groups like Amnesty International shows a commitment to protecting the most vulnerable users. For anyone facing serious surveillance risks, enabling Intrusion Logging is a straightforward step that could make all the difference when the worst happens.
