Google's Spyware Detection Tool

Android's Spyware Blind Spot

For years, catching spyware on Android has been nearly impossible.

When Amnesty International's Security Lab investigated Pegasus infections, they could reliably detect compromises on iPhones. Apple's system logs gave forensic investigators enough data to trace when and how an attack happened. Android? Almost nothing.

"Android's technical limits have made it difficult to deeply analyze system logs and files for signs of compromise, unlike with iOS," said Donncha Ó Cearbhaill, head of Amnesty's Security Lab. "These limits have meant we've been unable to reliably detect known attacks against Android."

That's a massive problem when you consider that Android runs on roughly 3.3 billion devices worldwide. The majority of journalists, activists, and dissidents targeted by government spyware use Android, often because it's cheaper. And until now, there was no reliable way to tell if their phones were compromised.

What Intrusion Logging Actually Captures

Google built Intrusion Logging into Android's Advanced Protection Mode, the high-security setting designed for people at elevated risk of targeted attacks. Here's what it records:

• Security events: Every device unlock attempt with timestamps and authentication method. Every app install and uninstall. Every process launch.
• ADB connections: Android Debug Bridge activity: shell commands, file transfers, device connections. This is how forensic tools like Cellebrite extract data from phones. Now there's a record.
• Network activity: DNS lookups and connection events, showing which servers your phone talks to and which app initiated the connection. This exposes command-and-control infrastructure used by spyware.
• Deletion attempts: If someone (or something) tries to delete the logs themselves, that gets logged too.

Logs are collected once daily, encrypted with a key that only you hold, and stored in your Google account. Google can't read them. An attacker who compromises your phone can't delete them from the cloud. You choose when, and if, to share them with forensic investigators.

How Investigators Use It

Amnesty updated two open-source tools to work with Intrusion Logging data:

• AndroidQF: acquires the encrypted logs from a device
• Mobile Verification Toolkit (MVT): analyzes logs for known indicators of compromise

The workflow: acquire logs, run mvt-android check-advanced-logs, review the generated timeline files (security events, DNS queries, network connections) and cross-reference with known spyware indicators.

Before Intrusion Logging, investigators working on Android had to piece together scraps from bugreports and whatever system logs hadn't been overwritten. Now they get a structured, timestamped, tamper-evident record.

Amnesty called it "a fundamental shift in the amount and quality of forensic data available on Android devices." That's not hyperbole. It's the first time a phone maker has built a feature specifically to help catch government hackers.

How It Compares to Apple's Lockdown Mode

Apple launched Lockdown Mode in 2022, and it takes a different approach. Where Google's Intrusion Logging is about detection (catching attacks after they happen), Apple's Lockdown Mode is about prevention. It locks down the attack surface by disabling features that spyware exploits: message attachment previews, certain web technologies, wired connections to computers, and network configuration.

Apple reported in March 2026 that it has never detected a successful attack against a user with Lockdown Mode enabled. That's a strong track record.

Google's Advanced Protection Mode does some prevention too: blocking sideloading, disabling 2G connections, enabling memory tagging. But Intrusion Logging adds something Apple doesn't offer: a forensic evidence trail that investigators can use after the fact.

The ideal setup? Both prevention and detection. Apple leans harder on the first. Google is now catching up on the second.

The Pixel Problem

Here's where this gets frustrating. Intrusion Logging requires:

• A Google Pixel phone
• Android 16
• A Google account
• Advanced Protection Mode enabled manually

Pixel phones are a tiny fraction of the global Android market. Samsung, Xiaomi, Oppo, and other manufacturers sell the vast majority of Android devices, especially in regions where government spyware is most aggressively deployed.

A journalist in Mexico targeted by Pegasus probably uses a Samsung. An activist in India facing Predator spyware likely has a Xiaomi. A human rights worker in Rwanda documenting abuses almost certainly isn't carrying a Pixel 9.

Google says other manufacturers can adopt Advanced Protection Mode features. But Android's fragmentation problem is legendary. Samsung took years to adopt basic security patches consistently. The idea that dozens of manufacturers will quickly implement a complex forensic logging system is optimistic at best.

Reporters Without Borders endorsed the feature but acknowledged the limitation: the people who need it most are the least likely to have access to it.

The Privacy Tradeoff You Should Know About

Intrusion Logging records your browser history. Every DNS lookup, every connection, every website your phone contacts. It's all in the logs.

Yes, the logs are encrypted with your key. Yes, only you can decrypt them. But if you share logs with investigators (which is the entire point) you're handing over a detailed record of every site you visited.

For most at-risk users, this tradeoff makes sense. Catching a Pegasus infection outweighs browser history exposure. But it's worth knowing what you're opting into.

There's also the Google account requirement. Your encrypted logs live in Google's cloud. That means Google knows you're using Advanced Protection Mode (even if they can't read the log contents), and a government could potentially subpoena Google for the encrypted blobs, though without your key, they'd be useless.

Should You Turn It On?

What This Means for the Spyware Industry

NSO Group, Intellexa, and other spyware vendors have operated for years knowing that Android infections were nearly undetectable. That advantage just got smaller.

Intrusion Logging doesn't prevent attacks. It creates evidence of them. For spyware companies selling "undetectable" surveillance tools to governments, a feature that logs every suspicious connection, every unauthorized app install, and every attempt to cover tracks is a serious problem.

It won't stop the spyware industry. But it shifts the arms race. Attackers now have to account for the possibility that their tools are being forensically recorded. That changes the calculus for governments considering whether to deploy these tools against journalists and activists who might later expose the attack.

The question is whether "Pixel only" keeps this tool confined to a small enough group that spyware vendors can simply ignore it. If Samsung, Xiaomi, and other manufacturers don't adopt it, the answer is probably yes.

Sources

• TechCrunch: Google Launches New Android Security Feature to Help Uncover Spyware Attacks (May 12, 2026)
• Amnesty International Security Lab: Android Intrusion Logging as a New Source of Data for Consensual Forensic Analysis (May 2026)
• Google Blog: What's New in Android Security and Privacy 2026
• The Hacker News: Android Adds Intrusion Logging for Advanced Protection Mode (May 2026)
• CyberScoop: Google and Amnesty International Teamed Up to Make It Harder for Spyware Vendors to Hide
• EFF: Google's Advanced Protection Arrives on Android: Should You Use It?
• Reporters Without Borders: New Protection Feature Against Sophisticated Spyware

Related Coverage

• Coruna iOS Exploit: US Government Hacking Tools Leaked. The spyware tools Intrusion Logging is designed to catch
• Meta's Privacy Whiplash: Instagram Encryption Killed, WhatsApp Incognito Launched. Another tech giant's contradictory privacy moves this week