Google is rolling out a new feature that will help investigate spyware attacks on Android devices.
The new tool, called Android Intrusion Logging, was released on May 12 as part of Google’s Android Advanced Protection Mode (AAPM).
This mode, which can be likened to Apple’s Lockdown Mode, was launched in 2025. Designed to enhance the security of Android devices for at-risk users, AAPM packages a set of pre-determined features designed to bolster device protection against scams, fraud and targeted attacks.
AAPM’s newest feature, Intrusion Logging, was developed by Google in partnership with civil society organizations, including Amnesty International’s ’s Security Lab and Reporters Without Borders’ Digital Security Lab.
With Intrusion Logging, high-risk Android users can log their device and network activities for times when they notice suspicious activity or suspect their device has been infected with malware.
By doing that, they will allow trusted security experts to perform forensic investigations into their device’s behavior, including applications that run on it.
These logs include:
- Security events (e.g. device unlocking, physical access and abusive interactions)
- Spyware installation and removal
- Domain name system (DNS) and connections events
All forensic logs, collected once a day by default, are encrypted with a user-generated key before the logs are securely archived in the user’s Google account. The logs can later be accessed and decrypted by the user, but not by Google or any unauthorized third parties.
When forensic analysis is required, the device owner must explicitly share these logs from the device itself in a secure manner with the forensic analyst.
“Intrusion Logging logs may include sensitive information such as browser navigation history. Secure sharing of logs and informed consent are therefore more essential than ever,” warned Amnesty International in a May 12 report.
Donncha Ó Cearbhaill, head of security at Amnesty Tech, praised Google for the release of Intrusion Logging on X. He explained that spyware forensic work “has so far relied on incidental logs that were never designed for security analysis and are too often partial and short-lived.”
“Now we have the possibility to detect advanced spyware, exploits, unauthorized physical access, even months after the fact,” he added.
The feature is opt-in for Pixel devices on Android 16 and later versions with Advanced Protection mode enabled. Users who wish to benefit from Intrusion Logging must have a Google account linked to their device.
Google plans to roll Intrusion Logging out beyond Pixel devices in the future.
In parallel to the introduction of Intrusion Logging, Amnesty International has releasing updates to Android Quick Forensics (AndroidQF).
AndroidQF is a lightweight open source forensic tool for Android devices to quickly extract and analyze critical evidence during investigations, and the Mobile Verification Toolkit (MVT), an Amnesty-made, open source toolkit to simplify and automate the process of gathering forensic traces to identify a potential compromise of Android and iOS devices.
Latest Updates to Android Advanced Protection Mode
Google also has rolled out a package of updates to its Android Advanced Protection Mode. These include:
- USB Protection: Now available on all Pixel devices running Android 16 and newer, this feature blocks new USB data connections while the device screen is locked
- Restricted accessibility services: Starting with Android 17, the mode will remove accessibility service access for all apps that are not explicitly labeled as accessibility tools to prevent malicious exploitation
- Disabled device-to-device unlocking: To enhance physical security, the ability to unlock one device using another nearby trusted device is being disabled
- Chrome WebGPU support removal: Support for WebGPU in Chrome will be disabled within this mode to reduce the browser’s attack surface
- Chat notification scam detection: The mode will now integrate scam detection specifically for chat notifications to help identify and block fraudulent messages.
Finally, Advanced Protection will be expanded to support managed devices through Android Enterprise later this year.
Image credits: Thrive Studios ID / DIA TV / Shutterstock.com
