Google launches new Android security feature to help uncover spyware attacks

Google is rolling retired a caller opt-in diagnostic successful Android that aims to assistance information researchers analyse spyware attacks.

The diagnostic is called “Intrusion Logging” and is portion of Android’s Advanced Protection Mode, which Google launched past year, an opt-in peculiar information mode that enables definite features with the extremity of making the instrumentality harder to hack. Advanced Protection Mode is designed to antagonistic authorities spyware attacks and constabulary forensic devices that effort to extract information from a person’s phone.

These 2 types of attacks tin besides beryllium combined. In astatine slightest 1 documented lawsuit successful Serbia, authorities utilized a instrumentality enforcement forensic instrumentality made by Cellebrite to unlock a device, and past installed spyware arsenic a further measurement to proceed monitoring the target. 

The rollout of Intrusion Logging is the archetypal clip a telephone shaper has launched a diagnostic with the extremity of helping information researchers analyse spyware attacks. To execute that, Android’s Intrusion Logging creates a caller benignant of log, which records errors and collects grounds erstwhile thing goes incorrect with the software, to supply visibility into suspected spyware attacks. 

Amnesty International, which worked with Google to make the feature, called Intrusion Logging “a cardinal displacement successful the magnitude and prime of forensic information disposable connected Android devices.”

“Until now, forensic investigation has relied connected logs that were ne'er designed for intrusion detection,” Amnesty wrote successful a blog post that explains successful item however Intrusion Logging works. That meant earlier logs were not that utile for researchers, arsenic they did not stay connected the instrumentality for agelong and were often overwritten, efficaciously erasing imaginable grounds of attacks.

Donncha Ó Cearbhaill, the caput of Amnesty’s Security Lab, told TechCrunch that Android’s method limits “have made it hard to profoundly analyse strategy logs and files for signs of compromise, dissimilar with iOS.”

“These limits person meant we've been incapable to reliably observe known attacks against Android,” said Ó Cearbhaill, who has for years investigated dozens of cases of spyware maltreatment astir the world. 

The quality to amended observe spyware attacks should amended with Intrusion Logging. Google announced the diagnostic a twelvemonth ago, but the institution is deploying it lone now. In a Tuesday blog post, Google said that Intrusion Logging “is presently rolling retired to each devices moving the Android 16 December update and newer.”

How Intrusion Logging works

Intrusion Logging captures events related to information and imaginable intrusions. For starters, the diagnostic creates and collects logs erstwhile a time and stores them encrypted successful a users’ Google relationship successful the cloud. Uploading logs to the unreality perchance prevents spyware from deleting grounds of a instrumentality compromise. The logs are besides encrypted truthful that lone the idiosyncratic tin entree and stock the logs with investigators, and Google cannot entree them.

Among the events that Intrusion Logging keeps way of, includes: erstwhile the telephone was unlocked; erstwhile applications person been installed and uninstalled; what websites and servers the telephone connected to; whether idiosyncratic connected to Android Debug Bridge, a instrumentality that allows a machine oregon a instrumentality such arsenic a forensic instrumentality similar Cellebrite to link to an Android device; and, whether idiosyncratic tried to delete the logs related to these events, which could bespeak an effort to fell grounds of an attack. 

In the lawsuit of a spyware attack, these logs tin assistance investigators recognize erstwhile and however authorities whitethorn person hacked oregon forcibly unlocked someone's instrumentality and connected it to a forensics tool, oregon utilized to instal spyware oregon stalkerware. The logs tin besides find if a telephone astatine immoderate constituent connected to a malicious website that tries to hack the visiting device, oregon accessing servers designed to extract information from the phone. 

While it is simply a measurement forward, Intrusion Logging has immoderate limits. For now, on with having to alteration Advanced Protection Mode, the diagnostic requires Android’s latest bundle version, is lone disposable for Google-made Pixel devices, and that the instrumentality has to beryllium linked with a Google account. Intrusion Logging keeps records of browser navigation past and connections, which radical whitethorn beryllium wary of sharing with investigators. 

Google says Advanced Protection Mode and Intrusion Logging are for radical who deliberation they whitethorn beryllium astatine hazard of attacks done with spyware and forensic devices, specified arsenic quality rights defenders, activists, journalists, and dissidents. Advanced Protection Mode is akin to Lockdown Mode for Apple devices, which was besides meant for at-risk users and is seen arsenic an effectual mode to support against spyware. 

As precocious arsenic March, Apple said it has ne'er detected a palmy attack against users who person Lockdown Mode enabled. In 2023, information researchers astatine Citizen Lab said Lockdown Mode actively blocked an attempt to infect a people with NSO’s spyware. 

In its blog post, Amnesty has included step-by-step instructions connected however to download the logs if a idiosyncratic suspects oregon has been notified that they person been targeted with spyware. Apple, Google, and Meta person sent menace notifications to users for years, which researchers person said person been important to uncovering and exposing cases of abuse.