CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Android Intrusion Logging feature introduced to enhance forensic analysis of advanced spyware attacks

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Google introduced an opt-in Android feature called Intrusion Logging as part of Advanced Protection Mode to enable persistent, privacy-preserving forensic logging for investigating sophisticated spyware compromises. Developed in collaboration with Amnesty International and Reporters Without Borders, the feature logs daily device and network activities such as app processes, installations, network connections, USB file transfers, system certificate changes, and device lock states. Logs are end-to-end encrypted and stored on Google servers for 12 months, protected by encryption keys tied to the user’s Google Account password and screen lock credentials. Malware on the device cannot access, delete, or manipulate logs, and neither Google nor state actors can decrypt them without user credentials. The feature targets high-risk individuals who suspect targeted surveillance, allowing them to share encrypted logs with security experts for forensic analysis. Users cannot delete logs before the 12-month retention period, even if the account is closed or the feature is disabled, though they can download decrypted logs for longer retention at their own risk. The feature is rolling out to devices running Android 16 December update and newer.

Timeline

  1. 13.05.2026 09:55 1 articles · 2h ago

    Android Intrusion Logging feature rolled out to support forensic analysis of advanced spyware compromises

    Google introduced Intrusion Logging as part of Advanced Protection Mode to enable persistent, privacy-preserving forensic logging of device and network activities for investigating sophisticated spyware attacks. The feature logs app activity, network connections, file transfers, certificate changes, and device lock states, with data end-to-end encrypted and stored for 12 months on Google servers, inaccessible to malware or third parties without user credentials. Intrusion Logging is now available on devices running Android 16 December update and newer.

    Show sources
    Open in new tab

Information Snippets

  • Intrusion Logging is an opt-in feature available within Android’s Advanced Protection Mode designed for forensic analysis of suspected spyware compromises.

    First reported: 13.05.2026 09:55
    1 source, 1 article
    Show sources

  • Logs include app process starts, installations, updates, uninstalls, network connections (Wi-Fi, Bluetooth, DNS, IP addresses), USB file transfers, system certificate changes, and device lock/unlock events.

    First reported: 13.05.2026 09:55
    1 source, 1 article
    Show sources

  • Log data is end-to-end encrypted and stored for 12 months on Google servers; encryption keys are derived from the user’s Google Account password and screen lock credentials.

    First reported: 13.05.2026 09:55
    1 source, 1 article
    Show sources

  • Encrypted logs cannot be accessed, modified, or deleted by malware on the device or by Google, and state actors cannot decrypt logs without the user’s credentials.

    First reported: 13.05.2026 09:55
    1 source, 1 article
    Show sources

  • Users cannot delete logs before the 12-month retention period, even if the feature is disabled or the account is closed; they can download and decrypt logs offline at their own risk.

    First reported: 13.05.2026 09:55
    1 source, 1 article
    Show sources

  • Logs capture system-level network events during Chrome Incognito browsing (e.g., DNS lookups, IP connections), enabling attribution of visited domains but not specific pages.

    First reported: 13.05.2026 09:55
    1 source, 1 article
    Show sources

  • Intrusion Logging is currently rolling out to devices running Android 16 December update and newer.

    First reported: 13.05.2026 09:55
    1 source, 1 article
    Show sources