Google has launched a new Android security feature to help detect spyware

Google is rolling out a new feature in Android that aims to help security researchers investigate spyware.

This feature is called “Intrusion Logging” and is part of Android Advanced Securitywhich Google introduced last year, a security system that supports certain features with the aim of making the device more difficult to hack. Advanced Protection Mode is designed to combat government spyware and police investigative tools that try to extract data from a person’s phone.

Two types of attacks can also be combined. In just one case documented in Serbia, authorities used a forensics tool developed by Cellebrite to unlock a device, then installed spyware as another way to keep track of what you want.

The release of Intrusion Logging is the first time that a smartphone manufacturer has launched a product with the goal of helping security researchers investigate espionage. To achieve this, Android Intrusion Logging creates a new type of log, which records errors and gathers evidence when something goes wrong with the app, to be seen in suspected spying attacks.

Amnesty International, which worked with Google to develop the feature, called Intrusion Logging “an important change in the amount and quality of forensic data available on Android devices.”

“Until now, forensic analysis has relied on logs that were not designed to be identified,” Amnesty wrote on the blog which explains in detail how Intrusion Logging works. This means that previous trees were not useful to researchers, as they did not stay on the device for long and were often recorded, removing potential evidence.

Donncha Ó Cearbhaill, head of Amnesty’s Security Lab, told TechCrunch that Android’s technical limitations “have made it difficult to deeply analyze system logs and files for inconsistent signals, unlike iOS.”

“These limitations have meant that we have not been able to identify the most common features of Android,” said Ó Cearbhaill, who over the years has investigated dozens of espionage cases around the world.

The ability to effectively detect spyware attacks should be improved with Intrusion Logging. Google announced this a year agobut the company is shipping soon. In a Tuesday blog post, Google said Intrusion Logging is “currently available on all devices running the Android 16 December update.”

How Intrusion Logging works

Intrusion Logging captures security-related events and potential intrusions. Initially, the service creates and collects logs once a day and stores them encrypted in a Google account in the cloud. Storing logs in the cloud can prevent spyware from deleting evidence related to device damage. The logs are also kept private so that only the user can access and share the logs with researchers, and Google cannot access them.

Some of the events that Intrusion Logging monitors include when the phone is unlocked; when programs are installed and removed; and websites and servers to which the phone is connected; either one connected to the Android Debug Bridge, a tool that allows a computer or device such as a forensic tool like Cellebrite connecting to an Android device; and if someone tries to delete logs related to these events, that would indicate an attempt to hide evidence of the attack.

In the event of a spy attack, these logs can help investigators understand when and how authorities may have hacked or jailbroken someone’s device and connected it to a forensics tool, or used it to install spyware or stalkerware. Logs can also detect if the phone is sometimes connected to a malicious website that tries to hack the social media device, or access servers that are designed to extract information from the phone.

Although it is a step forward, Import Pricing has its limitations. Currently, as well as turning on Advanced Security Mode, this feature requires the latest Android software, is available on Pixel devices made by Google, and the device must be connected to a Google account. Logging in automatically stores browsing history and links, which people may be wary of sharing with researchers.

Google says Advanced Protection Mode and Intrusion Logging are for people who think they may be at risk of being targeted by spyware and law enforcement tools, such as human rights activists, activists, journalists, and critics. Advanced Protection Mode is similar to Lockdown Mode for Apple devices, which are also designed for vulnerable users and are considered the best way to protect against spyware.

As recently as March, Apple said it had never seen a successful attack against users who have Lockdown Mode enabled. In 2023, security researchers at Citizen Lab it said Lockdown Mode prevented the attempt infecting the target with NSO spyware.

On its blog, Amnesty has included detailed instructions on how to download the logs if a user suspects or has been notified that they are being targeted by spyware. Apple, Google, and Meta have sent threat notifications to users for years, which researchers say has become critical to finding and exposing abuse cases.