Android Adds Intrusion Logging for Sophisticated Spyware Forensics

Google has introduced a new Android feature called Intrusion Logging, designed to enhance the analysis of sophisticated spyware attacks. This feature is part of the Advanced Protection Mode and focuses on persistent and privacy-preserving forensic logging. Developed in collaboration with Amnesty International and Reporters Without Borders, Intrusion Logging records device and network activities daily, providing detailed logs of device behavior and application usage. The activities recorded by Intrusion Logging include app activity, installations, updates, uninstalls, network connections, file transfers, system certificate changes, and device lock/unlock events. The log data is end-to-end encrypted and stored securely on Google servers. The encryption keys are protected by the user's Google Account password and screen lock credentials, ensuring that only the device owner can access the logs, not even Google or third parties. The logs are stored for 12 months and are automatically deleted afterward. Users cannot delete the logs before this period, even if they disable the feature or close their account. However, users can download the logs offline for extended retention, though they are responsible for the security of the decrypted data. Google advises users to be aware of legal obligations that may require them to provide access to decrypted data or security credentials. Intrusion Logging also captures network events during Chrome Incognito browsing, such as DNS lookups and IP connections, as it operates at the system level. This means that while specific websites visited can be identified, the exact pages cannot be determined. The feature is particularly beneficial for high-risk individuals who suspect they may be targeted by advanced surveillance tools, allowing them to share logs with trusted security experts for analysis. The feature is being rolled out to devices running the Android 16 December update and newer. Google is the first major vendor to address the challenge of detecting advanced attacks on devices proactively. By providing more forensic data for researchers, the company aims to make it more difficult for attackers and help civil society hold perpetrators accountable for unlawful targeting with spyware. In addition to Intrusion Logging, Google has announced several other privacy and security enhancements for Android. These include verified financial calls to combat phone call spoofing, expanded Live Threat Detection, and improved app behavior warnings. Other updates involve evaluating APK files for malware, restricting accessibility services API access, and enhancing device recovery features. Google is also introducing better privacy controls, AISeal with pKVM for AI data isolation, and expanding Binary Transparency for app integrity verification. Additional measures include hiding SMS OTPs from most apps, allowing carriers to disable 2G by default, and implementing post-quantum cryptography for future threat protection. These updates aim to maintain Android's position as a secure platform, as stated by Eugene Liderman, director of Android security and privacy.