"persistent and privacy-preserving forensics logging to allow for investigation of devices in the event of a suspected compromise," Google said — and today the company shipped a concrete tool that follows that description.
Intrusion Logging: a new opt-in for Advanced Protection Mode
Google on Tuesday introduced Intrusion Logging, an opt-in feature available as part of Android's Advanced Protection Mode designed to collect forensic data on devices that an owner suspects have been targeted by advanced spyware. The feature was developed in partnership with Amnesty International and Reporters Without Borders and is currently rolling out to devices running the Android 16 December update and newer.
What Intrusion Logging records
Google says the system captures a daily record of device and network activity. The help document lists the kinds of events saved:
- App activity (for example, when an app process starts)
- App installations, updates, and uninstalls
- Network connections such as starting and stopping Wi‑Fi, Bluetooth, DNS lookups, and IP addresses
- File transfers to or from the device over USB
- Changes to system certificates
- When the device is locked or unlocked
Because Intrusion Logging operates at the system level, Google warns that it will also record network events generated during Chrome Incognito browsing — DNS lookups and IP connections — though it "cannot infer specific pages on those sites." In short, anyone with access to decrypted logs could see which websites were contacted but not necessarily exact pages visited.
Encryption, retention, and user control
Google describes the data as end-to-end encrypted on the device and stored on Google servers. According to the company, the encryption keys are protected by a user's Google Account password and screen lock credentials, meaning the logs "cannot be accessed by any third-party, including Google itself, apart from the device owner." Reporters Without Borders echoed this design, saying that by storing the data on a secure server "even malware installed on the smartphone cannot access, delete, or manipulate it," and that end-to-end encryption "also ensures that neither Google nor state actors can access the data."
The encrypted logs are retained for 12 months and are automatically wiped after that period. Once Intrusion Logging is enabled, a user cannot delete the logs before the 12‑month expiration window—even if the account is closed or the feature is turned off. Users may download the logs for offline retention, but Google warns that once logs are downloaded and decrypted, the user is responsible for securing them and that "in certain legal or regulatory environments, you may be required by law to provide access to your decrypted data or your security credentials."
Logs can be accessed and downloaded through Settings > Security & privacy > Advanced Protection > Intrusion Logging > Access logs.
Other Android security and privacy features announced
Google released Intrusion Logging alongside a suite of additional protections. The company detailed a verified financial calls feature and new call‑spoofing protections: when a call appears to be from a participating bank, Android asks the installed online banking app to confirm whether the call is legitimate; if the app indicates no such call is being made, the system automatically ends it. Revolut, Itaú, and Nubank are named as participating banks, and Google expects the feature to go live on Android 11+ devices with those banks in the coming weeks before expanding to more banks later in the year.
Other announced changes include expanding Live Threat Detection to warn about suspicious behaviors such as SMS forwarding and accessibility overlays, evaluating APKs downloaded via Chrome with Safe Browsing enabled, restricting accessibility services to apps labeled as accessibility tools, disabling device-to-device unlocking and Chrome WebGPU support, adding scam detection for chat notifications, and hardening device protections in ways that include hiding SMS one-time passwords from most apps for three hours and introducing post‑quantum cryptography.
Google also said it is adding features such as enhancing Find Hub's Mark as lost to lock a phone with biometric authentication, reducing the number of PIN/password guesses possible by third parties with physical access, making a device's IMEI accessible via the lock screen on Android 12+ devices for recovery, and expanding Binary Transparency with a public ledger for authentic Google apps and foundational GMS APIs. Eugene Liderman, director of Android security and privacy, summarized the intent: "By improving protections against banking scams, and extending powerful protections like Live Threat Detection and Android Advanced Protection, we are ensuring that Android remains the most secure platform."
What this means for high-risk individuals, Amnesty International, and Reporters Without Borders
- High-risk individuals: Intrusion Logging is intended for people who suspect they have been targeted by advanced surveillance tools; it provides a way to gather consensual forensic data that can be shared with trusted experts.
- Amnesty International: Donncha Ó Cearbhaill, head of Security Lab at Amnesty International, said the feature makes more consensual forensic data available to researchers, helping "make life more difficult for attackers" and assisting civil society in seeking accountability when devices are unlawfully targeted by spyware and mobile data extraction tools.
- Reporters Without Borders: The organization framed the stored, encrypted logs as resistant to manipulation by malware and inaccessible to Google or state actors, highlighting the feature's role in defending journalistic sources and at‑risk communications.
Conclusion
Intrusion Logging is a purpose-built, opt-in approach to preserve forensic evidence on Android devices, combining daily system- and network-level records with end-to-end encryption and a fixed 12‑month retention. For the individuals and organizations the feature is aimed at, Google and its partners present it as a practical step toward making sophisticated mobile attacks easier to detect and harder to hide. Whether that design, its legal caveats around downloaded decrypted logs, and its real-world adoption among high-risk users will produce clearer attribution and accountability is the next question left to those who will test the system in the field.
