Google Introduces Groundbreaking Intrusion Logging Feature for Android Devices
In a significant step toward enhancing security for its users, Google has announced the rollout of a new feature aimed at investigating spyware attacks on Android devices. This feature, known as Android Intrusion Logging, was officially released on May 12, 2026, as part of the company’s Advanced Protection Mode (AAPM).
The introduction of Intrusion Logging is particularly crucial in today’s digital landscape, where the threats posed by spyware and cyberattacks are becoming increasingly sophisticated. AAPM, which can be compared to Apple’s Lockdown Mode, was initially introduced in 2025. It is specifically designed to fortify the security of Android devices for high-risk users by providing a suite of predetermined features that enhance device protection against scams, fraud, and targeted cyberattacks.
Developed through collaboration with civil society organizations such as Amnesty International and Reporters Without Borders, Intrusion Logging gives high-risk Android users the ability to document their device and network activities when they suspect suspicious behavior or believe their device may be compromised by malware. This data will enable trusted security experts to carry out thorough forensic investigations into the device’s actions, enabling better detection of unauthorized access or spyware presence.
So what exactly does this feature entail? Intrusion Logging captures various types of logs that are crucial for forensic examination. These include security events such as device unlock attempts, instances of physical access, and other abusive interactions, as well as records of spyware installations and removals. Additionally, the logs capture domain name system (DNS) and connection events, thereby providing a comprehensive overview of the device’s activities during potentially compromised periods.
The logs generated are collected daily by default and are encrypted using a user-generated key before being securely archived in the user’s Google account. This encryption ensures that while users can access and decrypt their logs, neither Google nor any unauthorized third parties have the ability to view or access the information. This security measure is particularly significant considering the sensitive nature of the data collected, including potentially revealing browsing history. In a statement, Amnesty International emphasized the critical nature of secure log sharing and informed consent, highlighting that "Intrusion Logging logs may include sensitive information."
Donncha Ó Cearbhaill, the head of security at Amnesty Tech, praised Google for this innovative feature, commenting on social media platform X that the introduction of Intrusion Logging represents a pivotal advancement for spyware forensic analysis. He noted that past forensic efforts have often relied on incidental logs that were inadequately designed for security analysis, merely offering partial snapshots of user activity. With Intrusion Logging, however, the opportunity now exists to identify advanced spyware, exploits, and even instances of unauthorized physical access, significantly bolstering the forensic capability months after suspicious activity has been observed.
To utilize this feature, users must opt-in through their Pixel devices running Android 16 or later versions, with Advanced Protection Mode enabled. Additionally, a Google account must be linked to the device for users to take advantage of Intrusion Logging. Google has also indicated plans to expand this feature to other devices beyond Pixel in the future, which would further enhance the security landscape for Android users.
In tandem with Intrusion Logging, Amnesty International has announced updates to the Android Quick Forensics (AndroidQF) tool. This lightweight, open-source forensic tool enables rapid extraction and analysis of crucial evidence during investigations. The Mobile Verification Toolkit (MVT), another initiative from Amnesty, will also be updated to streamline and automate the gathering of forensic data to assess potential compromises on both Android and iOS devices.
In addition to Intrusion Logging and the enhanced forensic tools, Google has introduced a series of updates to the Android Advanced Protection Mode. These updates are designed to provide users with a suite of additional security features, including:
-
USB Protection: Available on all Pixel devices running Android 16 and newer, this feature blocks new USB data connections while the device screen is locked.
-
Restricted Accessibility Services: Starting with Android 17, this enhancement will prevent all apps not explicitly designated as accessibility tools from accessing accessibility services, mitigating the risk of malicious exploitation.
-
Disabled Device-to-Device Unlocking: In an effort to amplify physical security, the ability to unlock one device using another nearby trusted device will be turned off.
-
Removal of Chrome WebGPU Support: This will reduce the browser’s attack surface by disabling WebGPU support within this security mode.
- Chat Notification Scam Detection: A new integration focuses on detecting and blocking fraudulent messages specifically targeting chat notifications.
Finally, Google has plans to expand Advanced Protection to include support for managed devices through Android Enterprise later this year. This holistic approach reflects a commitment to creating a safer environment for users who may face heightened risks online.
With these innovative security measures, Google aims to foster a more secure digital experience for Android users, ensuring they can operate confidently amidst evolving cybersecurity threats.