In response to the intensification of state-level spyware attacks in recent years, Google is developing a new optional feature for the Android system: intrusion logging. This feature is not intended for ordinary users, but helps network security researchers to check whether the device has been infected by spyware through in-depth inspection of system logs.

Intrusion logging is placed in Android advanced protection mode. Android advanced protection mode is an optional feature launched by Google for Android users. After users enable this feature, some system options will be disabled to improve security. For example, after enabling advanced protection mode, it will be significantly more difficult to infect through browser kernel vulnerabilities.

Advanced protection mode can also deal with forensic devices trying to extract key information from the system. In a previous national-level spyware attack in Serbia, Serbian authorities used forensic tools developed by Cellebrite to unlock Android devices, then installed spyware and continued to monitor the target.

Intrusion logging can provide researchers with comprehensive logs:

The intrusion logging function is essentially a new type of log developed by Google for the Android system. This new type of log is more comprehensive and detailed than the regular log of the Android system. It is used to record various software events and collect evidence, thereby helping users and network security researchers understand the ins and outs of suspected spyware attacks.

In the past, forensic analysis mainly relied on logs that were not designed to detect intrusions. Such logs are not very useful to network security researchers because such logs are kept for a short time and are often overwritten. Spyware latency can be very long, and if the logs are overwritten, researchers cannot trace the source of the attack.

Now with the intrusion logging function, when this function is enabled, the system will create and collect logs every day. The collected logs will be encrypted using high-strength algorithms and uploaded to the user's Google account. Therefore, even if the logs are erased locally, researchers can still continue to search for logs through the cloud.

It should be mentioned here that the intrusion logging feature has actually been developed in 2025, but Google is only now gradually deploying it. Google stated in its blog that this feature is being rolled out to devices running Android 16 December 2025 update or higher.

What tracking events does intrusion logging provide:

  • When was the Android device unlocked?

  • When an application is installed, launched, or uninstalled

  • Which websites or servers have the Android device connected to?

  • Is someone using the target device to connect to ADB (forensic tools will need to connect through ADB and read the data)

  • Has anyone tried to delete the logs for the above trace (this would suggest someone was trying to hide evidence of the attack)