Google Android adds new spyware intrusion logging feature

Android Bolsters Defenses Against Spyware Attacks

Intrusion Logging creates a specialized log that records errors and collects evidence when software malfunctions, offering crucial visibility into suspected spyware activities. This capability is particularly aimed at countering government-backed spyware and police forensic devices, which are often combined in real-world scenarios. For instance, in Serbia, authorities reportedly used a Cellebrite forensic tool to unlock a device before installing spyware for ongoing surveillance.

Amnesty International Hails Enhanced Forensic Data

Amnesty International, a key collaborator with Google in developing this feature, has lauded Intrusion Logging as “a fundamental shift in the amount and quality of forensic data available on Android devices.” Previously, forensic analysis relied on logs not designed for intrusion detection, which were often quickly overwritten, erasing potential evidence. Donncha Ó Cearbhaill, head of Amnesty’s Security Lab, noted that prior technical limitations on Android made deep analysis of system logs difficult, unlike with iOS, hindering reliable detection of known attacks.

Understanding Intrusion Logging’s Data Collection

Intrusion Logging captures security-related events and potential intrusions, creating and collecting logs daily. These logs are stored encrypted in a user’s Google account in the cloud, a measure designed to prevent spyware from deleting evidence. Crucially, the logs are encrypted such that only the user can access and share them with investigators, with Google unable to view the contents.

The feature meticulously tracks various events, including:

• When the phone was unlocked.
• Installation and uninstallation of applications.
• Websites and servers the phone connected to.
• Connections to Android Debug Bridge (ADB), a tool that allows external devices, such as forensic tools like Cellebrite, to connect to an Android device.
• Attempts to delete logs related to these events, which could signal an effort to conceal an attack.

These detailed records can help investigators pinpoint when and how a device might have been compromised, unlocked, or subjected to spyware installation.

Accessing and Sharing Your Intrusion Logs

For users who suspect a spyware attack, Amnesty International has provided step-by-step instructions on how to download these critical logs. This process enables users to securely retrieve the data for forensic analysis.

1. Open the Settings app on your Android device.
2. Scroll down and tap on Security & privacy.
3. Select More security & privacy.
4. Tap Advanced Protection Mode.
5. Choose Intrusion Logging.
6. Tap Download logs to retrieve the encrypted data from your Google account.

Note: Intrusion Logging is currently rolling out to devices running the Android 16 December update and newer, and is exclusive to Google-made Pixel devices linked to a Google account.

Targeted Protection and Future Outlook

Google states that Advanced Protection Mode and Intrusion Logging are intended for individuals at high risk of targeted attacks, such as human rights defenders, activists, journalists, and dissidents. This approach mirrors Apple’s Lockdown Mode, also designed for at-risk users, which has proven effective against spyware. As of March, Apple reported no successful attacks against users with Lockdown Mode enabled. While a significant advancement, Intrusion Logging does have limitations, including its Pixel-only availability and the need for the latest Android software. The feature’s recording of browser navigation history may also raise privacy concerns for some users when sharing logs with investigators.