Google has unveiled a major Android security feature that could fundamentally change how sophisticated spyware attacks are detected on smartphones. The company’s new “Intrusion Logging” system is designed to help investigators uncover evidence of advanced digital intrusions, including attacks involving government-grade spyware tools that often leave almost no trace behind.
The feature arrives as spyware threats continue escalating globally, with surveillance tools such as Pegasus spyware and Predator repeatedly linked to attacks targeting journalists, activists, lawyers, diplomats, opposition politicians, and business executives. Modern spyware campaigns increasingly rely on zero-click exploits that compromise phones silently without requiring any interaction from victims.
Google’s answer is a forensic system built directly into Android.
Called Intrusion Logging, the new capability is part of Android’s Advanced Protection Mode, an opt-in high-security environment designed for people at elevated risk of targeted attacks. Unlike conventional mobile security tools that mainly focus on preventing infections, Intrusion Logging concentrates on preserving evidence after suspicious activity occurs.
That distinction could prove critical.
For years, cybersecurity investigators have struggled to analyze spyware infections because mobile operating systems were never designed to preserve long-term forensic evidence. Most logs disappear quickly, and sophisticated attackers routinely erase traces of compromise before researchers can inspect infected devices. Amnesty International’s Security Lab said the lack of durable forensic evidence has been one of the biggest obstacles in uncovering spyware campaigns worldwide.
Intrusion Logging changes that model by continuously recording security-sensitive events across the device. According to Google and cybersecurity researchers, the system stores encrypted forensic logs covering app installations, browser activity, device unlock attempts, USB connections, Android Debug Bridge access, network behavior, DNS requests, and possible tampering incidents.
The logs remain available for up to 12 months, dramatically increasing the chances investigators can reconstruct attack timelines long after an intrusion occurred.
Google developed the feature alongside Amnesty International and other civil society organizations focused on digital rights and spyware investigations. Amnesty described the rollout as a landmark moment for smartphone security, calling it the first time a major device maker has introduced a built-in forensic logging system specifically aimed at helping researchers detect sophisticated digital attacks.
That collaboration matters because Amnesty’s Security Lab has become one of the world’s leading organizations investigating spyware abuse. Its researchers have uncovered numerous Pegasus infections over recent years and helped expose surveillance operations targeting civil society groups across multiple countries.
Google says privacy protections are central to the new system.
The company claims Intrusion Logging uses end-to-end encryption, meaning even Google cannot access the forensic data stored on users’ devices. If compromise is suspected, users can choose to securely share encrypted logs with trusted investigators or security researchers for analysis.
Still, the feature is not without controversy.
Because Intrusion Logging stores detailed device activity records, including browsing history and network metadata, privacy advocates warn that users will need to think carefully before sharing logs externally. While the information is encrypted, the logs may still contain highly sensitive personal activity details depending on how devices are used.
The rollout also comes with several important limitations.
First, Intrusion Logging is disabled by default. Users must manually enable Android Advanced Protection Mode and activate the forensic logging feature themselves. That means many Android users may never turn it on, either because they are unaware of the feature or because they do not believe they are at risk of sophisticated attacks.
Second, the feature currently supports only newer Google Pixel devices running Android 16 and connected to a Google account. Wider Android ecosystem adoption may take time, especially given the fragmented nature of Android software updates across manufacturers.
Even with those restrictions, cybersecurity experts see the move as a major shift in Android security strategy.
Instead of assuming advanced attacks can always be prevented, Google is acknowledging that some intrusions may succeed and that preserving forensic evidence afterward is equally important. That approach mirrors broader trends in enterprise cybersecurity, where threat detection and incident response have become as critical as traditional prevention systems.
The launch also strengthens comparisons between Android and Apple in the growing fight against commercial spyware tools.
Apple introduced Lockdown Mode in 2022 as an aggressive security mode aimed at protecting high-risk users from mercenary spyware attacks. Earlier this year, Apple said it was unaware of any successful spyware infections on devices running Lockdown Mode.
Google’s Advanced Protection Mode serves a similar purpose, but Intrusion Logging introduces a major difference: Android is now offering forensic visibility specifically designed to help uncover attacks after they happen. That investigative layer could give researchers and human rights organizations far stronger tools for documenting digital surveillance campaigns.
The new feature is part of a broader Android security expansion announced during Google’s latest Android security showcase. The company also revealed enhanced phishing protections, scam call defenses, malicious APK detection, theft protections, and AI-powered fraud detection systems aimed at combating increasingly sophisticated mobile attacks.
Recent Android updates have already hinted at Google’s broader Android ecosystem strategy, while the latest Google Play system update introduced additional security-focused improvements across the platform.
Google has also expanded device-level protections with stronger anti-rollback protection for Pixel devices, alongside rapid Android 17 testing that continues accelerating Android’s security update cycle.
The growing focus on privacy also comes amid broader digital surveillance concerns across the tech industry, especially as companies race to strengthen protections for user data and communications. Google and Apple recently expanded encrypted RCS messaging support in another major security-focused industry shift.
For now, Intrusion Logging may remain a niche tool mostly used by journalists, activists, and cybersecurity researchers. But its introduction signals a larger change in how smartphone makers think about security.
Modern mobile threats are no longer limited to simple malware or stolen passwords. Governments, surveillance vendors, and organized cybercriminals are deploying industrial-grade spyware capable of turning smartphones into full-time surveillance devices. Google’s new forensic logging system represents one of the clearest signs yet that major tech companies now view those threats as part of mainstream smartphone security.
