Google is rolling out Intrusion Logging, an opt-in Android feature in Advanced Protection Mode that records security events to help researchers investigate spyware and forensic device attacks on phones, according to TechCrunch. The feature is available on devices running Android 16 December update and newer, though it currently requires Advanced Protection Mode, a signed-in Google account, and a Google Pixel device.
How Intrusion Logging Works
The logs are created daily and stored in encrypted form in the user’s Google account. According to Google, the feature can record app installs, website and server connections, Android Debug Bridge access, phone unlocks, and attempts to delete records. Amnesty International helped develop the feature.
Addressing Android Forensics Gaps
Intrusion Logging was built to address a significant limitation in Android security research. Android’s technical constraints have historically made sophisticated spyware attacks harder to detect reliably compared to iOS, Apple’s mobile operating system. Before this feature, researchers depended on system logs that were not built for intrusion detection, and those records were often overwritten, which erased signs of an attack.
The system is designed to record attacks from government-grade spyware and police forensic tools such as Cellebrite, a digital forensics company whose software can help law enforcement unlock devices and pull data. No phone maker had previously launched a feature built specifically to help security researchers examine these targeted spyware attacks.
Broader Android Security Context
Intrusion Logging fits into a broader Android security overhaul that includes stronger Factory Reset Protection, which makes stolen phones harder to reuse, plus an upcoming Local Network Protection permission model that would let people control which apps reach devices on the same Wi-Fi network.
Google places Intrusion Logging inside Advanced Protection Mode, which was built to counter government spyware and police forensic devices. This approach differs from Apple’s strategy: Apple offers Lockdown Mode, a security setting that limits some phone functions to cut exposure to attacks. While Lockdown Mode aims to shrink the attack surface, Intrusion Logging adds detailed encrypted records for forensic work after an incident — a capability Android researchers had struggled to gather consistently.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
