Google has introduced "Intrusion Logging," a new opt-in feature for Android devices designed to bolster defenses against advanced spyware attacks. This system aims to provide crucial forensic data, enabling better detection and analysis of sophisticated compromises, particularly for high-risk users like journalists and activists.

Key Takeaways

• Enhanced Forensics: Intrusion Logging creates persistent, privacy-preserving forensic logs to aid in investigating suspected device compromises.

• Advanced Protection Mode: The feature is integrated into Android's Advanced Protection Mode, designed for users facing elevated surveillance risks.

• Collaboration: Developed in partnership with organizations like Amnesty International and Reporters Without Borders.

• End-to-End Encryption: Log data is end-to-end encrypted and stored securely, accessible only by the device owner.

Unveiling Intrusion Logging

Intrusion Logging is a significant addition to Android's security suite, developed to address the challenge of detecting and analyzing highly sophisticated spyware attacks that often leave subtle traces. Available as part of the Advanced Protection Mode, this feature enables persistent forensic logging, allowing for detailed investigations in the event of a suspected compromise.

The system was created in collaboration with human rights organizations, including Amnesty International and Reporters Without Borders, to ensure it meets the needs of those most vulnerable to targeted surveillance.

What Intrusion Logging Records

The feature logs a comprehensive range of device and network activities on a daily basis. These include:

• Application activity, such as process starts.

• App installations, updates, and uninstalls.

• Network connections, including Wi-Fi and Bluetooth status, DNS lookups, and IP addresses.

• File transfers via USB.

• Changes to system certificates.

• Device lock and unlock events.

Security and Privacy Measures

Google emphasizes that the log data is end-to-end encrypted by the device and stored on secure Google servers. The encryption keys are protected by the user's Google Account password and screen lock credentials, meaning neither Google nor any third party can access the logs. This off-device storage also prevents malware on the smartphone from tampering with or deleting the evidence.

Logs are retained for 12 months before automatic deletion. Users can download logs offline if they wish to keep them for longer periods, though they become responsible for the security of this decrypted data. It's important to note that Intrusion Logging captures network events even during Chrome Incognito browsing, as it operates at the system level.

Targeted Users and Broader Impact

The primary motivation behind Intrusion Logging is to empower high-risk individuals who suspect they are targets of advanced surveillance. By sharing these detailed logs with trusted security experts, they can conduct thorough examinations. This feature is particularly relevant for journalists, activists, and dissidents who face significant threats.

Donncha Ó Cearbhaill, head of Amnesty International's Security Lab, stated that Intrusion Logging represents a "fundamental shift" in the availability and quality of forensic data on Android devices, making it more difficult for attackers and aiding civil society in seeking accountability.

Additional Android Security Enhancements

Alongside Intrusion Logging, Google is rolling out other privacy and security improvements, including verified financial calls to combat banking scams, enhanced Live Threat Detection for suspicious app behavior, and stricter controls over accessibility services to prevent misuse by spyware. Other updates focus on scam detection for chat notifications, improved theft protections, and enhanced privacy controls for location and contact sharing.

Sources

• Android Adds Intrusion Logging for Sophisticated Spyware Forensics, The Hacker News.

• Google launches new Android security feature to help uncover spyware attacks, TechCrunch.

• Google Android Spyware Protection: Intrusion Logging Explained, ALM Corp.

• Google Debuts Android Spyware Logging Tool for High-Risk Users, Security Boulevard.

• Android adds ‘Intrusion Logging’ system to detect spyware attacks, CyberInsider.