Android Adds Intrusion Logging for Sophisticated Spyware Forensics
Google تزيد ميزة Intrusion Logging فـ Android للتحليل الجنائي ديال برمجيات التجسس (spyware) المتقدمة
Google Adds Intrusion Logging to Android for Forensic Analysis of Sophisticated Spyware
TL;DR Google has introduced Intrusion Logging, an opt-in forensics feature within Advanced Protection Mode that records device and network activity to help detect advanced spyware attacks. Developed with Amnesty International and Reporters Without Borders, the feature encrypts logs end-to-end and stores them for 12 months, allowing high-risk individuals to share activity records with security experts for analysis. The feature rolls out to devices running Android 16 December update and newer.
What happened
Google unveiled Intrusion Logging as part of a broader Android security update announced in May 2026. The feature addresses a specific operational security gap: detecting and analyzing sophisticated spyware attacks after a compromise is suspected.
Intrusion Logging operates within Advanced Protection Mode and logs device and network activities on a daily basis. The recorded activities include:
- App process starts and other app activity
- App installations, updates, and uninstalls
- Network connections (Wi-Fi, Bluetooth state changes, DNS lookups, IP addresses)
- File transfers to or from the device over USB
- Changes to system certificates
- Device lock and unlock events
The logs also capture network events from Chrome Incognito browsing, including DNS lookups and IP connections. This occurs because the logging operates at the system level and does not distinguish between browsing modes. Users viewing decrypted logs can therefore identify which websites were accessed, though not specific pages within those sites.
Data protection is handled through end-to-end encryption performed on the device, with encryption keys secured by Google Account password and screen lock credentials. Encrypted logs are stored on Google servers and remain inaccessible to third parties, including Google itself and state actors, according to statements from Reporters Without Borders. The encrypted logs retain for 12 months before automatic deletion.
A critical constraint: once enabled, users cannot delete logs before the 12-month expiration window, even if the account is closed or the feature is disabled. However, logs can be downloaded offline for independent analysis, after which users assume responsibility for their security.
The feature targets high-risk individuals—such as journalists, activists, and human rights defenders—who may suspect targeted surveillance. Users can share activity logs with trusted security experts by downloading them from Settings > Security & privacy > Advanced Protection > Intrusion Logging > Access logs.
The rollout reaches devices running the Android 16 December update and newer.
Why it matters
For defenders and security analysts in the MENA region, Intrusion Logging addresses a forensic challenge: detecting attacks by advanced spyware tools that leave minimal traces on device storage. Traditional post-compromise analysis often fails against sophisticated surveillanceware designed to hide from standard forensic methods.
The feature is particularly relevant for organizations and individuals operating in threat environments where mobile compromise poses high risk. By preserving encrypted system-level telemetry, the tool enables retrospective detection of:
- Suspicious process execution and app behavior
- Unusual network connections and DNS activity
- Unauthorized file transfers
- Certificate manipulation indicating man-in-the-middle interception
For SOC analysts advising high-risk users, Intrusion Logging provides a structured data source for threat hunting after suspected compromise. The 12-month retention window supports investigation timelines that span typical spyware persistence periods.
The privacy model—end-to-end encryption with keys bound to device credentials—addresses a critical concern: forensic data collection cannot itself become a surveillance vector. Neither the device owner's service provider nor law enforcement can access logs without the device owner's authentication factors.
Affected systems and CVEs
- Android 16 December update and newer
No CVE assigned at the time of publication.
What to do
- Enable Intrusion Logging via Advanced Protection Mode if operating in a high-threat environment where mobile compromise is plausible.
- Periodically download logs offline and retain them in a secure location separate from the device, in case independent forensic analysis becomes necessary later.
- Share encrypted or decrypted logs with trusted security researchers or incident response teams if a compromise is suspected.
- Be aware that enabling Intrusion Logging records Chrome Incognito activity at the network level; decrypted logs will expose visited domains even when private browsing is used.
- Understand that once logs are downloaded and decrypted, the user is responsible for their confidentiality; in certain jurisdictions, decrypted forensic data may be subject to legal disclosure.
Open questions
- The source does not specify the exact version number of Android 16 or identify which specific spyware families or threat actors motivated development of this feature.
- Geographic availability of Intrusion Logging is not stated; deployment scope across MENA and other regions is unclear.
- The source does not describe the technical implementation of end-to-end encryption or key derivation methods.
- Notification mechanisms when the 12-month retention period approaches expiration are not detailed.
- Timeline and scope for expansion of Intrusion Logging to Android versions earlier than 16 December update is not provided.
Source
Android Adds Intrusion Logging for Sophisticated Spyware Forensics
