Google Launches Android Spyware Forensics Tool for High-Risk Users

Google is rolling out a new feature that will help investigate spyware attacks on Android devices.

The new tool, called Android Intrusion Logging, was released on May 12 as part of Google’s Android Advanced Protection Mode (AAPM).

This mode, which can be likened to Apple’s Lockdown Mode, was launched in 2025. Designed to enhance the security of Android devices for at-risk users, AAPM packages a set of pre-determined features designed to bolster device protection against scams, fraud and targeted attacks.

AAPM’s newest feature, Intrusion Logging, was developed by Google in partnership with civil society organizations, including Amnesty International’s ’s Security Lab and Reporters Without Borders' Digital Security Lab.

With Intrusion Logging, high-risk Android users can log their device and network activities for times when they notice suspicious activity or suspect their device has been infected with malware.

By doing that, they will allow trusted security experts to perform forensic investigations into their device's behavior, including applications that run on it.

These logs include:

Security events (e.g. device unlocking, physical access and abusive interactions)
Spyware installation and removal
Domain name system (DNS) and connections events

All forensic logs, collected once a day by default, are encrypted with a user-generated key before the logs are securely archived in the user’s Google account. The logs can later be accessed and decrypted by the user, but not by Google or any unauthorized third parties.

When forensic analysis is required, the device owner must explicitly share these logs from the device itself in a secure manner with the forensic analyst.

On Google Pixel devices, the Intrusion Logging feature can be found under the Menu: Settings > Security & privacy > Advanced Protection > Device protection. Source: Amnesty International

“Intrusion Logging logs may include sensitive information such as browser navigation history. Secure sharing of logs and informed consent are therefore more essential than ever,” warned Amnesty International in a May 12 report.

Donncha Ó Cearbhaill, head of security at Amnesty Tech, praised Google for the release of Intrusion Logging on X. He explained that spyware forensic work “has so far relied on incidental logs that were never designed for security analysis and are too often partial and short-lived.”

“Now we have the possibility to detect advanced spyware, exploits, unauthorized physical access, even months after the fact,” he added.

The feature is opt-in for Pixel devices on Android 16 and later versions with Advanced Protection mode enabled. Users who wish to benefit from Intrusion Logging must have a Google account linked to their device.

Google plans to roll Intrusion Logging out beyond Pixel devices in the future.

In parallel to the introduction of Intrusion Logging, Amnesty International has releasing updates to Android Quick Forensics (AndroidQF).

AndroidQF is a lightweight open source forensic tool for Android devices to quickly extract and analyze critical evidence during investigations, and the Mobile Verification Toolkit (MVT), an Amnesty-made, open source toolkit to simplify and automate the process of gathering forensic traces to identify a potential compromise of Android and iOS devices.

Latest Updates to Android Advanced Protection Mode

Google also has rolled out a package of updates to its Android Advanced Protection Mode. These include:

USB Protection: Now available on all Pixel devices running Android 16 and newer, this feature blocks new USB data connections while the device screen is locked
Restricted accessibility services: Starting with Android 17, the mode will remove accessibility service access for all apps that are not explicitly labeled as accessibility tools to prevent malicious exploitation
Disabled device-to-device unlocking: To enhance physical security, the ability to unlock one device using another nearby trusted device is being disabled
Chrome WebGPU support removal: Support for WebGPU in Chrome will be disabled within this mode to reduce the browser's attack surface
Chat notification scam detection: The mode will now integrate scam detection specifically for chat notifications to help identify and block fraudulent messages.

Finally, Advanced Protection will be expanded to support managed devices through Android Enterprise later this year.

Image credits: Thrive Studios ID / DIA TV / Shutterstock.com

Google Launches Android Spyware Forensics Tool for High-Risk Users

Kevin Poireault

Latest Updates to Android Advanced Protection Mode

You may also like

Malicious Apps Pose as Contact Tracing to Infect Android Devices

Malware in Flappy Birr App Flies Away with Data

#RSAC: Android: Malware? What Malware?

Security’s Ever-Growing, Ever-Moving Target

Android Malware Hijacks Google Gemini to Stay Hidden

What’s Hot on Infosecurity Magazine?

Ransomware: Over Half of CISOs Would Consider Paying Ransom to Hackers

UK Cybersecurity Market Expands to £14.7bn with Strong Growth in AI Security Firms

Global Cyber Agencies Issue New SBOMs for AI Guidance to Tackle AI Supply Chain Risks

OpenAI Launches 'Daybreak' to Help Build Secure By Design Software

ShinyHunters Escalates Canvas Extortion with School by School Ransom Campaign

South Staffordshire Water Fined £1m After Data Breach

ShinyHunters Escalates Canvas Extortion with School by School Ransom Campaign

Hackers Observed Using AI to Develop Zero-Day for the First Time

OpenAI and Anthropic LLMs Used in Critical Infrastructure Cyber-Attack, Warns Dragos

Five Years Later: Lessons Learned From Colonial Pipeline Ransomware Attack

Open Source is the Tip of the Iceberg: Why Proprietary Software, Hardware and Protocols Face Greater AI-Driven Security Risk

Iran-Linked APT Posed as Chaos Ransomware Member in Espionage Campaign

Financial Services Under Pressure: Supply Chain Risk, Regulation and Operational Resilience

How To Enhance Security Operations with AI-Powered Defenses

Why Resilience‑Focused Cloud Design Is Your Best Defense Against Modern Attacks

Behind the Curtain of Microsoft 365 Cybersecurity: Lessons from Overlooked Resilience Gaps

How to Harness Advanced Intelligence Capabilities to Strengthen Cyber Defence

Risk-Based IT Compliance: The Case for Business-Driven Cyber Risk Quantification

Anthropic Rolls Out Claude Security for AI Vulnerability Scanning

Inside the Code War: Defending Against Nation-State Cyber Threats

Interview: How YKK Is Securing the World’s Largest Zipper Manufacturing Operation

CISA and Partners Publish Zero Trust Guidance For OT Security

Most Cybersecurity Professionals Feel Undervalued and Underpaid

Cyber Resilience Under Pressure: Can Your Organisation Prove Control When it Matters Most?

Google Launches Android Spyware Forensics Tool for High-Risk Users

Written by

Latest Updates to Android Advanced Protection Mode

You may also like

What’s Hot on Infosecurity Magazine?