Intrusion logging creates evidence where silence once protected the hunters
In 2026, Google has moved to harden Android against two converging threats — state-grade spyware and financial fraud — recognizing that invisibility is the common weapon of both. By introducing forensic intrusion logging developed in partnership with Amnesty International, and layering in biometric safeguards and automatic scam call termination, the company is attempting to make the cost of attack visible and measurable. This is less a solution than a renegotiation of terms in an ongoing arms race, one where the stakes range from a drained bank account to a journalist's life.
- Spyware vendors and bank scammers have long relied on operating unseen — Android is now building systems specifically designed to expose that invisibility.
- Intrusion logging creates forensic records when unauthorized code probes sensitive parts of the operating system, giving researchers and organizations like Amnesty International evidence to work with.
- A new biometric-protected 'Mark as lost' mode closes a ransom loophole, while hidden Quick Settings prevent physically present thieves from disabling connectivity and security features.
- Automatic call-blocking technology targets the social engineering scripts behind bank fraud, hanging up on calls flagged as scam attempts before manipulation can take hold.
- Threat actors will adapt — but each new defensive layer raises the complexity and cost of attack, and for high-risk users like activists and journalists, that friction can be the difference between discovery and silence.
Google is tightening Android's defenses against two distinct but equally dangerous threats: spyware vendors who sell surveillance tools to governments and criminals, and scammers who drain bank accounts through fraudulent calls. A suite of 2026 security upgrades treats these as interconnected — both depend on bad actors operating invisibly inside your phone.
The most significant change is intrusion logging, a forensic tool designed to catch spyware in the act. When sophisticated surveillance software attempts to penetrate an Android device, the system now creates detailed records of those attempts. Spyware vendors have historically relied on stealth; by logging intrusions, Android creates a trail that security researchers and organizations like Amnesty International — a partner in this initiative — can follow. The logs don't prevent installation, but they make it far harder for vendors to claim their products are undetectable, and for high-risk users like activists and journalists, that record could be the difference between discovering a compromise and never knowing.
Parallel to this, Android is rolling out protections against financial fraud. Automatic call-blocking technology will hang up on calls identified as bank scam attempts, cutting off social engineering before it can succeed. A new 'Mark as lost' mode now requires biometric authentication before activation, preventing thieves from remotely locking a stolen device for ransom. When triggered, the mode also hides Quick Settings, making it harder for anyone with physical access to disable connectivity and security features.
Taken together, these updates reflect a broader shift in Android's security philosophy — one that assumes attackers are sophisticated and persistent, and builds friction into every layer rather than waiting for breaches to occur. Whether the measures prove sufficient will depend on how quickly threat actors adapt, and whether users understand and enable the protections now available to them.
Google is tightening Android's defenses against two distinct but equally dangerous threats: the spyware vendors who sell surveillance tools to governments and criminals, and the scammers who drain bank accounts through fraudulent calls. The company announced a suite of security upgrades in 2026 that treats these problems as interconnected—both require making it harder for bad actors to operate invisibly on your phone.
The most significant change is intrusion logging, a forensic tool designed to catch spyware in the act. When sophisticated surveillance software attempts to penetrate an Android device, the system now creates detailed records of those intrusion attempts. This matters because spyware vendors have historically relied on stealth; if no one knows they're there, they can't be removed or studied. By logging these attempts, Android creates a trail that security researchers and forensic investigators can follow. Google partnered with Amnesty International on this initiative, recognizing that spyware is not primarily a consumer problem—it's a tool used against activists, journalists, and political opponents in countries where surveillance is a weapon of state control.
The intrusion logging system is technical and invisible to most users. It runs in the background, documenting when unauthorized code tries to gain access to sensitive parts of the operating system. This data becomes valuable only when a device is examined by someone trained to read it—a security researcher, a forensic analyst, or an organization like Amnesty International that helps at-risk populations understand whether they've been targeted. The logs don't prevent spyware from being installed, but they make it far harder for vendors to claim their products are undetectable.
Parallel to this, Android is rolling out features aimed at a different category of threat: financial fraud. The company is implementing automatic call-blocking technology that will hang up on calls identified as bank scam attempts, protecting users from the social engineering attacks that have become increasingly sophisticated. Simultaneously, a new "Mark as lost" mode requires biometric authentication—a fingerprint or face scan—before it can be activated. This prevents thieves from remotely locking a stolen phone and holding it for ransom. When activated, the mode also hides Quick Settings, the panel that controls Wi-Fi, Bluetooth, and other connectivity options, making it harder for someone with physical access to the device to disable security features.
These changes reflect a shift in how Android approaches security. Rather than treating threats as isolated problems, Google is building defenses that assume attackers are sophisticated and persistent. Spyware vendors will adapt to intrusion logging. Scammers will find new angles. But each new layer of defense raises the cost and complexity of attacks, and that friction matters. For activists and journalists in high-risk environments, intrusion logging could be the difference between discovering they've been targeted and never knowing. For ordinary users, automatic scam call blocking and biometric-protected lost mode reduce the surface area where fraud can take hold.
The updates also signal something broader: an escalating technical arms race between Android and the threat ecosystem. Spyware vendors are not going away. Neither are bank scammers. But Google is no longer waiting for attacks to succeed before responding. The company is building systems that make intrusion visible, that block known fraud patterns, and that require attackers to work harder for every inch of access they gain. Whether these measures will prove sufficient depends on how quickly threat actors adapt—and whether users actually enable and understand the protections available to them.
Notable Quotes
Google and Amnesty International teamed up to make it harder for spyware vendors to hide— CyberScoop reporting on the partnership
The Hearth Conversation Another angle on the story
Why does intrusion logging matter if it doesn't actually stop spyware from being installed?
Because it creates evidence. Spyware vendors sell their products partly on the claim that they're undetectable. If forensic investigators can now see the intrusion attempts in the logs, that claim collapses. It doesn't help the person being spied on in real time, but it helps the researchers and organizations trying to understand which vendors are active, which governments are buying from them, and how the attacks work.
So this is really a tool for investigators, not for regular phone users?
Mostly, yes. But regular users benefit indirectly. When Amnesty International or a security firm documents that a particular spyware vendor is being used against activists, that information becomes public. Governments face pressure. The vendor's business model gets disrupted. The intrusion logging is the technical foundation that makes that accountability possible.
What about the scam call blocking? That seems more immediately useful.
It is. If your phone automatically hangs up on calls identified as bank fraud attempts, you can't be socially engineered into giving away your account details. But it's also imperfect. Scammers are constantly evolving their tactics, finding new numbers, new scripts. The blocking will catch some, not all.
Why require biometric authentication for "Mark as lost" mode?
Because if someone steals your phone, they can currently just activate lost mode remotely and lock you out of your own device. Then they demand money to unlock it. Requiring a fingerprint or face scan means the thief can't do that—they'd need your biometric data, which they don't have. It's a simple but effective barrier.
Does this mean Android is finally taking security seriously?
Android has always taken security seriously. What's changed is the sophistication of the threats and the willingness to build defenses that are invisible to users but powerful in practice. Intrusion logging won't make headlines. Most people won't know it exists. But for the people who need it most, it changes everything.