Google launched a feature for Android phones Tuesday for dedicated forensic logs about intrusions from sophisticated attacks like those by spyware vendors, in what design partners at Amnesty International hailed as an important first.

The tech giant has been ramping up the new feature, Intrusion Logging, since last year, and has now begun rolling it out.

“The new intrusion logging feature promises to be a major aid to digital forensics researchers undertaking investigations into sophisticated attacks on Android devices,” Amnesty International said in a Tuesday technical briefing. “This is the first time a major device vendor has released a feature specifically to enhance the ability to forensically detect and respond to advanced digital threats.”

To date, independent investigators have relied on records and often short-lived log files that weren’t meant for forensic use, and Amnesty said surveillance groups have grown increasingly aware of those forensic efforts. Intrusion Logging, a feature of Android Advanced Protection Mode, is designed specifically to keep track of possible intrusions for forensic purposes. It keeps records of security incidents like device unlocking, physical access and spyware installation and removal.

Google’s annual security and privacy update for Android phones mentions the feature and its development with Amnesty International, Reporters Without Borders and others. It also touts new protections against banking scam calls, other features for detecting suspicious activity on Android phones, additional privacy safeguards and more.

The firm has been working on the feature since announcing it last year.

“Intrusion Logging enables persistent and privacy-preserving forensics logging to allow for investigation of devices in the event of a suspected compromise,” wrote Eugene Liderman, director of Android security and privacy.

Intrusion Logging joins an expanding slate of features from tech companies to fight sophisticated attacks like those from commercial spyware, among them Apple’s Lockdown Mode and Memory Integrity Enforcement and WhatsApp’s Strict Account Settings.

Intrusion Logging “promises to help shift the balance to the advantage of defenders, providing civil society investigators with the key evidence needed to detect and expose some of the most advanced attacks facing journalists and activists,” said Donncha Ó Cearbhaill, head of the Amnesty International Security Lab, “With Intrusion Logging Google is the first major vendor to proactively address to challenge of detecting advanced attacks on device. By making more consensual forensic data available for researchers, we can make life more difficult for attackers and help civil society seek accountability when their devices are unlawfully targeted by spyware and mobile data extraction tools.”

The feature has some limitations, though, Amnesty said in its technical briefing. It requires Android 16 and is only available for now on Pixel devices; the device has to be linked to a Google account, and the logs may include sensitive information, like browser navigation history, so secure sharing of the logs is important.

The logs may also be deletable by attackers, Ó Cearbhaill told CyberScoop, but he said he understands there are plans to strengthen protections against that in future versions. And lots of attacks would be detectable in the logs where attackers wouldn’t necessarily have the root access needed to try to delete logs, he said.

To enable Intrusion Logging, users need to be using Android Advanced Protection Mode, and can find the feature at Settings > Security & privacy > Advanced Protection > Intrusion Logging. If users suspect some kind of security incident, they’ll need to export and share the logs with a forensic analyst.

The post Google and Amnesty International teamed up to make it harder for spyware vendors to hide appeared first on CyberScoop.

Leaked training videos suggest that Intellexa retained the ability to remotely access the systems of customers who had used its Predator spyware, raising questions about human rights safeguards, according to an investigation published Thursday.

That was just one finding from a series of separate but overlapping probes released over the past 24 hours. The training video revelations came via a joint investigation by Inside Story, Haaretz and WAV Research Collective in partnership with Amnesty International. Google and Recorded Future also published research Thursday about Intellexa.

“The fact that, at least in some cases, Intellexa appears to have retained the capability to remotely access Predator customer logs – allowing company staff to see details of surveillance operations and targeted individuals [—] raises questions about its own human rights due diligence processes,” Jurre van Bergen, technologist at Amnesty International Security Lab, said in a news release.

“If a mercenary spyware company is found to be directly involved in the operation of its product, then by human rights standards, it could potentially leave them open to claims of liability in cases of misuse and if any human rights abuses are caused by the use of spyware,” he continued.

The “Intellexa Leaks” investigation learned more about the U.S.-sanctioned company’s operations as well. One revelation was that Intellexa was exploiting malicious mobile advertisements to infect targets, a vector named “Aladdin,” investigators concluded.

Other findings include confirmation of Predator domains imitating legitimate Kazakhstani news sites, and additional evidence linking Predator spyware to surveillance of prominent Egyptian political activist Ayman Nour and Greek investigative journalist Thanasis Koukakis, according to Amnesty. And the news publications reported on the first reported Predator infection in Pakistan, of a human rights lawyer, and additional targeting in the country.

A lawyer for Intellexa founder Tal Dilian only responded in part to questions from Haaretz, the publication reported, saying that ‘progressive groups rely on biased and politically motivated international organizations that spread unfounded claims, and use journalists, as ‘useful idiots,’ who repeatedly publish so-called investigative reports directed by the same actors.”

The attorney added: “I have not committed any crime nor operated any cyber system in Greece or anywhere else. Any claim suggesting otherwise is false and defamatory. I categorically reject any attempt to link me to events in Greece or to the media campaign surrounding them. I protect my rights and will continue pursuing legal action against those who defame me.”

Recorded Future’s Insikt Group, meanwhile, published a study on individuals and groups connected to Intellexa.

“These connections span technical, operational, and corporate roles, including backend development, infrastructure setup, and company formation,” wrote Julian-Ferdinand Vögele, principle threat researcher. “In addition, Recorded Future’s proprietary intelligence revealed ongoing Predator spyware activity in multiple countries, including new evidence of its deployment in Iraq.”

On Wednesday, Google said it had identified the companies Intellexa had created to infiltrate the advertising ecosystems, with partners subsequently shutting down the accounts.

Additionally, the firm pointed to one way Intellexa stands out among others.

“Over the past several years, Intellexa has solidified its position as one of, if not the most, prolific spyware vendors exploiting zero-day vulnerabilities against mobile browsers,” a blog post from Google Threat Intelligence Group reads. “Despite the consistent efforts of security researchers and platform vendors to identify and patch these flaws, Intellexa repeatedly demonstrates an ability to procure or develop new zero-day exploits, quickly adapting and continuing operations for their customers.”

The post Intellexa remotely accessed Predator spyware customer systems, investigation finds appeared first on CyberScoop.