Google has launched a significant security update for Android devices dubbed “Intrusion Logging,” a feature designed to assist security researchers in identifying and analyzing sophisticated spyware attacks. This tool is integrated into the company’s Advanced Protection Mode, an opt-in security layer specifically engineered to defend against government-grade spyware and forensic data extraction tools that are increasingly used to compromise mobile devices.

The new logging system represents a major advancement in mobile forensics by creating a dedicated, persistent record of security-related events. Previously, forensic investigators struggled to identify attacks on Android because existing logs were not designed for intrusion detection, were often ephemeral, and were frequently overwritten before they could be analyzed. Intrusion Logging changes this by capturing critical data—such as device unlock events, application installations, and connections to external forensic tools—and encrypting them in the cloud to prevent attackers from tampering with or erasing the evidence.

Developed in collaboration with security experts, the feature tracks specific indicators of compromise, including unauthorized access attempts, connections to malicious servers, and modifications to the device’s debugging interface. While the logs provide unprecedented visibility into potential incursions, Google notes that privacy remains a priority; the data is encrypted such that only the device owner can access it and authorize its sharing with investigators.

Currently, the feature is being deployed to devices running the December Android update and later. While it is a powerful tool for high-risk users such as journalists, activists, and human rights defenders, it is currently limited to Google’s Pixel hardware. This move aligns with broader industry efforts to provide robust protections against targeted digital threats, similar to lockdown mechanisms found on other major mobile operating systems.