Google began rolling out a new opt-in Android security feature in May 2026 designed to help security researchers detect and investigate spyware attacks on mobile devices. The feature, called Intrusion Logging, is part of Android’s Advanced Protection Mode and is currently available on Pixel devices running the Android 16 December update or newer.
Intrusion Logging works by capturing security-related events once a day and storing them encrypted in the user’s Google account. Because the logs are held in the cloud, spyware cannot easily delete evidence of a compromise. The encryption ensures only the user — not Google — can access or share the logs with investigators.
The logs track a range of device activity, including when the phone was unlocked, which apps were installed or removed, what websites and servers the device connected to, whether a forensic tool such as Cellebrite connected via Android Debug Bridge, and whether anyone attempted to delete the logs themselves.
Google developed the feature in partnership with Amnesty International. Donncha Ó Cearbhaill, head of Amnesty’s Security Lab, told TechCrunch that Android’s existing technical limits “have made it difficult to deeply analyze system logs and files for signs of compromise, unlike with iOS,” adding that those limits meant researchers had been “unable to reliably detect known attacks against Android.” Amnesty described Intrusion Logging as “a fundamental shift in the amount and quality of forensic data available on Android devices.”
The feature is intended for users at elevated risk of targeted surveillance, including journalists, activists, human rights defenders, and dissidents. Google notes it is comparable in purpose to Apple’s Lockdown Mode, which targets the same audience.
Intrusion Logging currently has several limitations: it requires Advanced Protection Mode to be enabled, is restricted to Pixel devices, needs the latest Android software, and must be linked to a Google account. Users should also be aware that the logs include browser navigation history and server connections.
Google announced the feature a year before this rollout. Amnesty has published step-by-step instructions for users who suspect they have been targeted and want to download their logs for review.
Source: TechCrunch