Google rolls out Android Intrusion Logging to help expose spyware attacks

Android Intrusion Logging

Google and Amnesty say Android’s new Intrusion Logging feature gives at-risk users and investigators a much stronger forensic trail for detecting spyware and other advanced device intrusions.

# Google rolls out Android Intrusion Logging to help expose spyware attacks

## Opening summary

Google is rolling out Android Intrusion Logging, a new feature inside Advanced Protection Mode that is meant to help investigators detect spyware attacks and other sophisticated device intrusions. Amnesty International, which worked with Google on the design, says the change represents a major shift because Android forensic analysis has historically relied on limited system traces that were never meant for intrusion detection.

## Main article

The core idea is simple but important: instead of forcing researchers to piece together evidence from logs that are quickly overwritten or difficult to access, Intrusion Logging creates a purpose-built record of security-relevant events. Google says the logs are encrypted and stored in the user’s Google account so the user can later share them with investigators, while Amnesty says that approach creates a much richer evidence trail for consensual forensic analysis.

According to Google and TechCrunch’s reporting, the feature can capture things like app installation events, connections to sites and servers, device unlock activity, Android Debug Bridge connections, and attempts to tamper with the logs themselves. That kind of visibility matters in cases where a phone may have been accessed with forensic tools, stalkerware, or commercial spyware that tries to erase traces of compromise after the fact.

Amnesty’s write-up is what gives the launch extra weight. The organization says civil-society investigators have spent years working around Android logging limitations when examining attacks on journalists, activists, and human-rights defenders. Its endorsement suggests this is not just a marketing feature, but a response to a real operational gap in mobile forensics.

The rollout is still selective. Users need Advanced Protection Mode and the relevant newer Android software support, and this is clearly designed for people at elevated risk rather than the average phone owner. Even so, it marks a notable shift in how Google is approaching mobile defense: not just by hardening devices up front, but by making sophisticated attacks easier to detect and document afterward.

## Why it matters

This matters because spyware cases often become invisible once attackers clean up after themselves. A stronger forensic trail can improve accountability, help researchers detect abuse faster, and raise the cost for surveillance operators targeting high-risk users.

## Source notes

- Verified against Google’s Android security and privacy announcement for the feature name, rollout framing, and placement inside Advanced Protection Mode. - Used Amnesty International’s technical briefing to confirm the forensic purpose of the feature and its significance for investigators. - TechCrunch reporting was used to corroborate rollout detail and explain how the logging can help with spyware investigations.