MIP against Agent: Malicious Image Patches Hijacking Multimodal OS Agents

Lukas Aichberger , Alasdair Paren , Guohao Li , Philip Torr , Yarin Gal , Adel Bibi

🏛 Institutions: Johannes Kepler University Linz , Oxford
📅 Date: March 13, 2025
📑 Publisher: NeurIPS 2025 (Poster)
💻 Env: Desktop
🔑 Keywords: security adversarial attacks malicious image patches screen hijacking MIP

TLDR

This paper shows that adversarial image patches embedded in on-screen content can hijack multimodal OS agents into harmful actions. The attacks transfer across prompts and screen configurations, exposing a visual attack surface that goes beyond text-only prompt injection.

Open paper arXiv Report issue

Related papers (24)

The Blind Spot of Agent Safety: How Benign User Instructions Expose Critical Vulnerabilities in Computer-Use Agents

April 12, 2026 · arXiv
Preference Redirection via Attention Concentration: An Attack on Computer Use Agents

April 9, 2026 · arXiv
AgentSentinel: An End-to-End and Real-Time Security Defense Framework for Computer-Use Agents

September 9, 2025 · CCS 2025
VPI-Bench: Visual Prompt Injection Attacks for Computer-Use Agents

June 3, 2025 · ICLR 2026 (Poster)
RedTeamCUA: Realistic Adversarial Testing of Computer-Use Agents in Hybrid Web-OS Environments

May 28, 2025 · ICLR 2026 (Oral)
On the Robustness of GUI Grounding Models Against Image Attacks

April 7, 2025 · arXiv
sudo rm -rf agentic_security

March 26, 2025 · ACL 2025 Industry Track
In-Context Defense in Computer Agents: An Empirical Study

March 12, 2025 · arXiv
WebSP-Eval: Evaluating Web Agents on Website Security and Privacy Tasks

April 7, 2026 · arXiv
AgentRAE: Remote Action Execution through Notification-based Visual Backdoors against Screenshots-based Mobile GUI Agents

March 24, 2026 · arXiv
Visual Confused Deputy: Exploiting and Defending Perception Failures in Computer-Using Agents

March 16, 2026 · arXiv
SlowBA: An efficiency backdoor attack towards VLM-based GUI agents

March 9, 2026 · arXiv
Dual-Modality Multi-Stage Adversarial Safety Training: Robustifying Multimodal Web Agents Against Cross-Modal Attacks

March 4, 2026 · arXiv
WebSentinel: Detecting and Localizing Prompt Injection Attacks for Web Agents

February 3, 2026 · arXiv
Zero-Permission Manipulation: Can We Trust Large Multimodal Model Powered GUI Agents?

January 18, 2026 · arXiv
HackWorld: Evaluating Computer-Use Agents on Exploiting Web Application Vulnerabilities

October 14, 2025 · ICLR 2026 (Poster)
Environmental Injection Attacks against GUI Agents in Realistic Dynamic Environments

September 14, 2025 · arXiv
WebInject: Prompt Injection Attack to Web Agents

May 16, 2025 · EMNLP 2025 (Poster)
A Survey on the Safety and Security Threats of Computer-Using Agents: JARVIS or Ultron?

May 16, 2025 · arXiv
LLM-Powered GUI Agents in Phone Automation: Surveying Progress and Prospects

April 28, 2025 · TMLR 2025
WASP: Benchmarking Web Agent Security Against Prompt Injection Attacks

April 22, 2025 · NeurIPS 2025 (Poster)
Why Are Web AI Agents More Vulnerable Than Standalone LLMs? A Security Analysis

February 27, 2025 · arXiv
Evaluating the Robustness of Multimodal Agents Against Active Environmental Injection Attacks

February 18, 2025 · ACM MM 2025
Workflow-GYM: Towards Long-Horizon Evaluation of Computer-use Agentic tasks in Real-World Professional Fields

June 9, 2026 · arXiv