Google has introduced a new, optional feature in Android called “Intrusion Logging” to aid security researchers in examining spyware attacks. This is part of Android’s Advanced Protection Mode, an opt-in security setting aimed at making devices more resistant to hacks, particularly targeting government spyware and police forensic tools that attempt data extraction. A notable instance in Serbia involved authorities using Cellebrite to unlock a device before installing spyware for further monitoring.
Intrusion Logging is a groundbreaking feature from a phone manufacturer aimed at assisting security experts in investigating spyware attacks. This function logs errors and gathers evidence in case of software issues, enhancing visibility into suspected spyware activities. Amnesty International collaborated with Google on this initiative, noting the significant improvement in forensic data quality available on Android devices. Previously, forensic analysis relied on logs not designed for intrusion detection, which were fleeting and often overwritten.
Donncha Ó Cearbhaill from Amnesty’s Security Lab highlighted the historical difficulties in deeply analyzing Android system logs compared to iOS, hindering reliable detection of known Android attacks. Intrusion Logging is expected to improve spyware detection capabilities. Although announced a year ago, Google is now implementing this feature for devices with the Android 16 December update and newer.
Functioning by capturing security event logs daily, Intrusion Logging stores them encrypted in a user’s Google account cloud. This method helps preserve evidence by preventing spyware from deleting logs and ensures that only users can share the logs with investigators, not Google. The logs document events such as phone unlocks, app installations, website connections, interactions with tools like Android Debug Bridge (which forensic tools like Cellebrite can use), and attempts to delete logs.
These logs can be crucial for investigators to understand potential device compromises, including unauthorized access and connections to malicious sites or data-extracting servers. However, there are limitations; the feature requires enabling Advanced Protection Mode, the latest Android version, a Google account, and is currently only available on Google Pixel devices. The logs also record browsing history, which might concern about sharing with investigators.
Google indicates that Advanced Protection Mode and Intrusion Logging are for those at potential risk, like human rights defenders and journalists. It parallels Apple’s Lockdown Mode, also designed for at-risk individuals. In March, Apple reported no successful attacks on Lockdown Mode users, and in 2023, Citizen Lab noted that Lockdown Mode blocked an attempted NSO spyware infection.
Amnesty’s blog provides detailed steps for downloading logs if a user suspects spyware targeting. Apple, Google, and Meta have long notified users of such threats, vital for uncovering and addressing misuse cases.