If your phone was being spied on right now, would you know?
For most people, the honest answer is no. Sophisticated spyware runs quietly in the background. It leaves almost no trace. By the time anyone notices something is wrong, the attacker has often been in the device for weeks or months.
That is exactly the problem Google has taken aim at with a new Android feature called Intrusion Logging. It is a significant step forward for mobile security, and it matters for any business with staff who handle sensitive information on their phones.
At Sentry Cyber, we have seen firsthand how damaging these targeted attacks can be. Over the past year, we have supported a number of individuals who were persistently targeted by cyber criminals. These were not random attacks. The attackers went after personal devices, including mobile phones, and kept coming back. Having the right tools to detect, investigate, and respond made a genuine difference. This new feature from Google adds another layer to that toolkit.
What Is Android Intrusion Logging?
Google recently unveiled Intrusion Logging as part of Android’s Advanced Protection Program. The feature creates a secure, encrypted record of activity on your device. Think of it like a security camera for your phone. It quietly records what is happening in the background so that if something goes wrong, there is a clear record to work from.
The feature was developed in collaboration with Amnesty International and Reporters Without Borders. That partnership tells you something important about who it was designed to protect people facing serious, real-world threats. That now includes business owners, executives, and key staff members who carry sensitive data on their phones every day.
What Does It Actually Log?
Once enabled, Intrusion Logging captures a daily record of device and network activity. This includes:
- App activity, including when app processes start
- App installations, updates, and removals
- Network connections such as Wi-Fi, Bluetooth, DNS lookups, and IP addresses
- File transfers to or from the device via USB
- Changes to system certificates
- When the device is locked or unlocked
None of this information is visible to attackers. The logs are end-to-end encrypted and stored on Google’s servers. The encryption keys are tied to your Google Account password and screen lock credentials, which means not even Google can read them.
Importantly, even if malware is already installed on a device, it cannot access, delete, or alter the logs. The data lives on an external server, completely out of reach.
How Long Are the Logs Kept?
The logs are stored for 12 months and then automatically deleted. Once you enable the feature, you cannot manually delete the logs before that window is up, even if you close your account or turn the feature off. You can download them offline if you want to keep them for longer.
To access the logs, go to Settings > Security and Privacy > Advanced Protection > Intrusion Logging > Access Logs.
The feature is currently rolling out to all devices running the Android 16 December update and newer.
Why This Matters for Your Business
Spyware is no longer just a concern for government agencies and international journalists. We are increasingly seeing it used against business owners, finance teams, and executives here in Australia.
The cases Sentry Cyber has helped respond to recently followed a similar pattern. A targeted individual starts receiving suspicious communications. Their device behaves strangely. Things do not add up. But without forensic evidence, it is almost impossible to prove what is happening, let alone stop it.
Android Intrusion Logging changes that. When a device has been running the feature, security professionals can review the encrypted logs and look for signs of compromise. That gives investigators something concrete to work with. It also means you can respond faster and with far more confidence.
We Have Been Recommending Advanced Protection for Years. Here Is Why.
This is not the first time Google has set the standard for protecting high-risk users. Advanced Protection Program has been available for some time, and Sentry Cyber has been recommending it to clients for years.
The track record speaks for itself. Google has reported that to date, there have been zero accounts compromised that were enrolled in the Advanced Protection Program. Not a handful. Zero. That is a remarkable result given the scale and sophistication of attacks targeting Google accounts today.
Because of that record, we have consistently recommended Advanced Protection to the people within an organisation who carry the most risk. That includes:
- C-level executives who have access to strategic and financial information
- Finance team members who handle transactions, payroll, and sensitive data
- IT administrators with elevated system access and the keys to your infrastructure
These are the people attackers go after first. A successful attack on any one of them can have serious consequences for the whole organisation. Advanced Protection raises the barrier significantly, and Intrusion Logging now extends that protection by making it possible to investigate potential compromises that would previously have gone undetected.
How to Get the Most Out of These Features
Enabling Intrusion Logging is a straightforward decision if your key staff members already have Advanced Protection Mode turned on. But making the most of it requires more than just switching it on.
Here are a few practical steps worth taking:
Start with your highest-risk accounts. If your CEO, CFO, or IT manager is not already enrolled in Advanced Protection, that is the first priority. No other security measure fully compensates for a compromised account at that level.
Have a response plan ready. Intrusion Logging generates forensic data, but it takes a trained security professional to interpret it meaningfully. Know who you will contact if something looks suspicious.
Review your broader Google Workspace security settings. Most small and medium-sized businesses have gaps in their Google Workspace configuration that attackers can exploit. Getting the basics right is just as important as enabling advanced features.
If you are not sure where your organisation stands, our Google Workspace security services can help you identify and fix those gaps. We also have a free Google Workspace Best Security Practices eBook that walks through the most important settings every business should have locked down.
What This Means Going Forward
The introduction of Android Intrusion Logging is a welcome development. It gives security teams, including ours, better tools to detect and investigate attacks that would previously have gone unnoticed.
But technology only goes so far. The organisations that stay safest are the ones that combine good tools with clear policies, trained staff, and expert support when things get complicated.
If your business handles sensitive data, or if you have staff members who are likely targets for sophisticated attackers, now is the time to review your mobile and account security posture.
Our team at Sentry Cyber works with businesses across Australia to assess exposure and put the right protections in place. Whether you need a one-off security assessment, ongoing cyber security monitoring, or a fractional CISO as a Service to guide your strategy, we can help.
Conclusion
Android’s Intrusion Logging feature fills a gap that has been hard to address until now. For high-risk individuals and businesses, it creates a tamper-proof record that security professionals can use to investigate attacks that would previously have been invisible.
Combined with Advanced Protection Mode, which has maintained a zero-compromise record to date, it creates a genuinely strong baseline for anyone who needs serious account and device security.
If you want to make sure your team is protected, contact Sentry Cyber today. We can review your current setup, identify the gaps, and put the right protections in place before you need them.
And if you have not downloaded our free Google Workspace Best Security Practices eBook yet, that is a great place to start.
FAQ
What is Android Intrusion Logging?
Intrusion Logging is a new opt-in feature available through Android’s Advanced Protection Mode. It creates encrypted, tamper-proof records of device and network activity that security experts can use to investigate suspected spyware attacks.
Who should enable Intrusion Logging?
The feature is designed for anyone facing a higher risk of targeted attacks. Within a business, that means C-level executives, finance team members, and IT administrators. If you handle sensitive business information on your phone, it is worth turning on.
Can Google or hackers access my Intrusion Logs?
No. The logs are end-to-end encrypted using your Google Account password and screen lock credentials. Google itself cannot read them. Even malware already installed on the device cannot access or delete the logs, as they are stored on a separate secure server.
How long are the logs stored?
Logs are kept for 12 months and then automatically deleted. You cannot manually delete them before this period ends, even if you close your account or disable the feature.
What is the Advanced Protection Program?
Advanced Protection is a Google security program designed for accounts at high risk of targeted attacks. It adds extra layers of account verification and restricts access to sensitive data. Google reports that to date, no accounts enrolled in the program have been successfully compromised.
Does my business need this?
If you have staff with access to sensitive data, financial systems, or elevated IT permissions, yes, it is worth acting on. Sentry Cyber has been recommending Advanced Protection to high-risk staff for years. Intrusion Logging adds an important investigative capability on top of an already strong foundation. Get in touch with us if you want help getting the right people enrolled.