CybersecurityHacking

Google Bolsters Android Security to Counter Spyware Vendors

Analyst 207||Source: CyberScoop
Smartphone on a lab bench with forensic tools in the background, under bright daylight.
"The new intrusion logging feature promises to be a major aid to digital forensics researchers undertaking investigations into sophisticated attacks on Android devices," Amnesty International.

What Intrusion Logging records

Google's new Intrusion Logging feature is built specifically to preserve forensic traces of sophisticated attacks on Android devices. According to the company and Amnesty International, the feature keeps records of security incidents such as device unlocking, physical access, and spyware installation and removal. Intrusion Logging is part of Android Advanced Protection Mode and is intended to produce persistent, privacy-preserving logs that forensic analysts can use when investigating a suspected compromise.

How Google built and is rolling out the capability

Google has been ramping up Intrusion Logging since last year and began rolling it out on Tuesday as part of its annual Android security and privacy update. The update documents the feature and notes that Google developed it in collaboration with Amnesty International, Reporters Without Borders and other partners. Eugene Liderman, director of Android security and privacy, described the aim in a written comment: "Intrusion Logging enables persistent and privacy-preserving forensics logging to allow for investigation of devices in the event of a suspected compromise."

The company framed Intrusion Logging as one addition among other defensive moves against advanced attacks, citing protections such as stronger defenses against banking scam calls and new features to detect suspicious activity on Android phones. The rollout is limited so far to certain devices and OS versions (see below) as Google expands the capability.

How civil-society investigators and researchers reacted

Amnesty International called the feature an important first. In a technical briefing, the organization said, "This is the first time a major device vendor has released a feature specifically to enhance the ability to forensically detect and respond to advanced digital threats." Donncha Ó Cearbhaill, head of the Amnesty International Security Lab, framed Intrusion Logging as a tool that could push attackers onto the defensive: "Intrusion Logging ... promises to help shift the balance to the advantage of defenders, providing civil society investigators with the key evidence needed to detect and expose some of the most advanced attacks facing journalists and activists."

Amnesty also places Intrusion Logging alongside defensive features released by other vendors, noting that the capability joins an expanding slate of protections such as Apple's Lockdown Mode and Memory Integrity Enforcement and WhatsApp's Strict Account Settings.

Technical and operational limits: Android 16, Pixel devices, and data handling

Amnesty's technical briefing and developer notes identify several constraints users and investigators must manage. Intrusion Logging requires Android 16 and is only available for now on Pixel devices. The device must be linked to a Google account to enable the feature. The logs themselves may contain sensitive information — Amnesty explicitly cited browser navigation history as an example — making secure handling and sharing of exported logs an important operational step.

Amnesty also warned that logs may be deletable by attackers. Donncha Ó Cearbhaill told CyberScoop that he understands there are plans to strengthen protections against deletion in future versions, and he added that many attacks would be detectable in the logs even where attackers did not have the root access needed to attempt deletions.

What this means for digital forensics researchers, civil society investigators, and end users

  • Digital forensics researchers: Expect a new, dedicated source of consensual forensic data tailored for advanced-attack investigations. Analysts will need procedures to export and securely handle logs, and to integrate Intrusion Logging outputs with other evidence sources.
  • Civil society investigators and human-rights groups: The feature is designed to provide "key evidence" for detecting and exposing unlawful targeting, but organizations must weigh the privacy sensitivity of exported logs and the requirement that devices run Android 16 on Pixel hardware.
  • End users concerned about targeted compromise: To enable Intrusion Logging you must use Android Advanced Protection Mode; the feature is found at Settings > Security & privacy > Advanced Protection > Intrusion Logging. If a security incident is suspected, users will need to export and share those logs with a forensic analyst.

Google's Intrusion Logging does not promise a silver bullet, but it marks a concrete, vendor-led step to make forensic traces more resilient and more accessible to researchers and investigators. By designing logs for forensic use — while acknowledging platform, device, and privacy limits — Google and Amnesty International have created a capability aimed at tilting evidence collection back toward defenders and those seeking accountability. How quickly the protections against log deletion are hardened, how broadly the feature is extended beyond Pixel devices and Android 16, and how securely logs are shared will determine whether that promise is realized.

https://cyberscoop.com/google-android-intrusion-logging-amnesty-spyware-detection/

Digital ForensicsEmerging ThreatsGoogleMobile SecuritySpywareNation State ThreatsAndroid SecurityIntrusion LoggingAdvanced Protection ModeAmnesty International
Related Intelligence

Continue Reading

Secret Service agent in airport terminal looks concerned at personal smartphone.

US Secret Service Exposes Agents to Cyber Risk with Lax Mobile Security

The US Secret Service is putting its agents at risk of cyber attacks by allowing them to use personal phones for work, with over 15,000 instances of unsecured calls made during critical operations. This lax mobile security leaves them vulnerable to hackers, despite having access to supposedly secure government-issued devices.

Analyst 207
Technician examines server rack with laptop in a brightly-lit network operations room.

CISA Mandates Urgent Patching for Exploited Cisco Flaw

Don't wait until it's too late: Cisco has issued a critical patch for a vulnerability (CVE-2026-20230) in its Unified Communications Manager Server, and the US Cybersecurity and Infrastructure Security Agency (CISA) is requiring urgent remediation by June 28. Act now to protect your system from potential remote exploitation.

Analyst 207
Developer workstation with laptop, terminal, and papers on a clean desk.

Amazon AI Coding Tool Exposes Cloud Credentials to Malicious Git Repos

A security vulnerability in Amazon's AI coding assistant, tracked as CVE-2026-12957, allowed malicious Git repositories to access sensitive cloud credentials, raising concerns about informed consent and user security. The flaw enabled automatic execution of commands with no user prompt required.

Analyst 207
Rows of computer servers and networking equipment in a brightly-lit, open office space or server room.

AI Agents Expose Governance Gap in Enterprise Identity Infrastructure

Traditional enterprise identity systems are struggling to keep up with the dynamic nature of AI agents, which can autonomously execute complex tasks, chain calls across multiple systems, and continuously act on inherited credentials. This has exposed a significant governance gap in current identity infrastructure.

Analyst 207