Google on Tuesday introduced a new sign-in feature for Android called Access to Permission to maintain forensic logs for better analysis of sophisticated spyware attacks.
Intrusion Logging, available as part of Advanced Security Mode, enables “persistent and privacy-preserving forensics logging to allow investigation of devices in the event of a suspected intrusion,” the company said.
This feature, it added, was developed in collaboration with Amnesty International and Reporters Without Borders. According to a help document shared by Google, it logs device and network activities on a daily basis, including information about the behavior of the device and the various applications running on it.
The types of recorded activities are listed below –
- Application activity (eg, when an application process starts)
- Application installation, updates, and uninstallation
- Network connections such as enabling and disabling Wi-Fi, Bluetooth, DNS lookups, and IP addresses
- The file is transferred to or from the device via USB
- Changes to system certificates
- If the device is locked or unlocked
Google also noted that log data is encrypted from the device end and stored on Google servers. The encryption keys are protected by the Google Account password and screen lock details, which means that the logs cannot be accessed by any third party, including Google itself, except the owner of the device.
“By storing data on a secure server, even malware installed on a smartphone cannot find, delete, or control it,” Reporters Without Borders said. “End-to-end encryption also ensures that Google or regional actors cannot access the data. The Intrusion Function in particular allows the detection and forensic analysis of even the most complex and previously difficult-to-detect attacks.”
Encrypted logs are stored for a period of 12 months, after which they are automatically deleted. Once Logging is enabled, the user cannot delete logs before the 12-month expiration window, even if the account is closed or the feature is disabled. Users have the option to take the logs offline, if they would like to keep them longer.
That said, Google emphasized that once logs are downloaded and decrypted, users are responsible for their own security. “In certain legal or regulatory jurisdictions, you may be required by law to provide access to your deleted data or your security credentials,” it pointed out.
Another thing to remember when enabling the feature is that it also records network events generated during Chrome Incognito browsing, such as DNS lookups and IP connections, as it works at the system level and does not differentiate between browsing modes. In other words, anyone with access to the decrypted logs can pick up which websites have been visited, but cannot identify specific pages on those sites.
The motivation behind Intrusion Logging is that a high-risk individual, who suspects that they may be targeted by advanced surveillance tools because of who they are and what they do, can share a work plan with trusted security professionals for further investigation.
Logs can be downloaded by navigating to the Settings app, then tap Security and privacy -> Advanced Security -> Login -> Access logs. This feature is currently active on all devices running Android 16 December update and newer.
“With Intrusion Logging, Google is the first major vendor to directly address the challenge of detecting advanced machine attacks,” said Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, in a statement. “By making more consistent intelligence data available to researchers, we can make life more difficult for attackers and help the public demand accountability when their devices are illegally targeted by spyware and mobile data mining tools.”
More Privacy and Security Features Coming to Android
In addition to Login, Google has announced privacy and security improvements, including verified financial calls, a new call tampering protection feature to combat attacks where fraudsters pose as banks to trick users into revealing sensitive data or transferring funds.
When users receive a call that appears to be from a participating bank, Android asks the installed online banking app to verify that they are actually trying to reach a customer. If the application confirms that no such action is being taken, the call is automatically closed by the system.
“Your bank or financial institution may also designate numbers as incoming only, meaning they are never used to call customers,” Google said. “Incoming calls from these numbers will be blocked directly.” The feature is expected to go live on Android 11+ devices with Revolut, Itaú, and Nubank in the coming weeks, before being expanded to additional banks later this year.
Some notable changes are listed below –
- Expanding Live Threat Detection to issue alerts about suspicious app behavior, including SMS forwarding and accessibility overlays commonly used by Android banking trojans to steal credentials.
- Scans APK files downloaded with Chrome on Android for known malware if Safe Browsing is enabled before installation.
- Removing access to the accessibility services API from all applications not labeled as accessibility tools.
- Disables device-to-device unlocking and Chrome WebGPU support.
- Adds scam detection for chat notifications.
- Improving Find Hub’s Mark as lost feature with the ability to lock the phone with biometric authentication, preventing thieves from turning off device tracking if the device is marked as lost. Triggering Mark as lost also enables additional protections such as hiding Quick Settings and disabling new Wi-Fi and Bluetooth connections.
- Reducing the number of times a third party has physical access to a device can guess a PIN or password, in addition to using longer wait times between failed attempts.
- Improving device discovery by making the device’s IMEI number accessible through the lock screen on devices running Android 12 or higher.
- Better privacy controls that allow users to temporarily share their exact location to perform certain tasks while a certain app is open, and grant access to specific contacts in a third-party app, as opposed to sharing the entire address book.
- Introducing AISeal with pKVM for hardware-backed, on-device classification of artificial intelligence (AI)-related data processing.
- Extending Binary Transparency to Android to ensure integrity through validation of official architectures and a public ledger for genuine Google applications and underlying GMS APIs.
- Hides SMS one-time passwords (OTPs) in most applications for three hours to prevent OTP theft by malicious applications granted SMS permission.
- Giving carriers the ability to disable 2G automatically to protect customers from legacy technology vulnerabilities.
- Hardening data protection by introducing post-quantum cryptography to protect against future threats.
- It includes transparent user controls to opt in and out of all features, security policies, and transparency when using Gemini on Android.
“By improving security against bank fraud, and extending powerful defenses like Live Threat detection and Android Advanced Protection, we’re ensuring Android remains the most secure platform,” said Eugene Liderman, Android’s director of security and privacy.
