Google on Tuesday introduced an opt-in Android feature called Intrusion Logging to store forensic records for suspected spyware investigations on devices running Android 16 December update and later. The logs are encrypted end to end, kept for 12 months, and can be downloaded by the device owner.
KEY FACTS
- Purpose The feature is meant to preserve device activity for forensic review after a suspected compromise.
- Data stored It records app activity, installs, network connections, USB transfers, certificate changes, and lock or unlock events.
- Security The logs are encrypted on the device and stored on Google servers, with access tied to the user’s account and screen lock.
- Retention Logs are kept for 12 months and then automatically deleted.
Google said the feature was developed with Amnesty International and Reporters Without Borders. A help document said the logging runs daily and captures device and network activity, including when apps start and stop, when Wi-Fi or Bluetooth changes, and when DNS lookups or IP connections occur.
The company said the logs cannot be accessed by third parties, including Google, and that users can export them offline if they want to keep them longer. Once downloaded and decrypted, the user is responsible for securing the files. Google also warned that the logs can include network events from Chrome Incognito browsing because the feature works at the system level.
The feature is aimed at high-risk users who suspect they may have been targeted by advanced surveillance tools. The logs can be shared with trusted security experts for analysis, and the company said the rollout is starting on devices with the Android 16 December update and newer.
Google also announced other Android security changes, including verified financial calls, expanded live threat detection, malware checks for downloaded APK files in Chrome, and limits on accessibility service access for apps that are not accessibility tools.
WHY IT MATTERS
The new logging gives users and investigators a built-in record that may help identify difficult-to-detect attacks without relying on data stored on the phone itself. It also adds privacy trade-offs, since exported logs can reveal browsing-related network activity if they are mishandled.