Environmental Injection Attacks against GUI Agents in Realistic Dynamic Environments

This paper studies environmental injection attacks on GUI agents under dynamic web conditions where trigger position and surrounding context vary across pages and sessions. It shows prior attacks degrade sharply under this more realistic threat model, then proposes Chameleon with LLM-driven environment simulation and Attention Black Hole supervision to recover attack effectiveness across six websites and four LVLM agents.

• WebSP-Eval: Evaluating Web Agents on Website Security and Privacy Tasks
  April 7, 2026 · arXiv
• Dual-Modality Multi-Stage Adversarial Safety Training: Robustifying Multimodal Web Agents Against Cross-Modal Attacks
  March 4, 2026 · arXiv
• WebSentinel: Detecting and Localizing Prompt Injection Attacks for Web Agents
  February 3, 2026 · arXiv
• HackWorld: Evaluating Computer-Use Agents on Exploiting Web Application Vulnerabilities
  October 14, 2025 · ICLR 2026 (Poster)
• RedTeamCUA: Realistic Adversarial Testing of Computer-Use Agents in Hybrid Web-OS Environments
  May 28, 2025 · ICLR 2026 (Oral)
• WebInject: Prompt Injection Attack to Web Agents
  May 16, 2025 · EMNLP 2025 (Poster)
• WASP: Benchmarking Web Agent Security Against Prompt Injection Attacks
  April 22, 2025 · NeurIPS 2025 (Poster)
• sudo rm -rf agentic_security
  March 26, 2025 · ACL 2025 Industry Track
• In-Context Defense in Computer Agents: An Empirical Study
  March 12, 2025 · arXiv
• Why Are Web AI Agents More Vulnerable Than Standalone LLMs? A Security Analysis
  February 27, 2025 · arXiv
• The Blind Spot of Agent Safety: How Benign User Instructions Expose Critical Vulnerabilities in Computer-Use Agents
  April 12, 2026 · arXiv
• Preference Redirection via Attention Concentration: An Attack on Computer Use Agents
  April 9, 2026 · arXiv
• AgentRAE: Remote Action Execution through Notification-based Visual Backdoors against Screenshots-based Mobile GUI Agents
  March 24, 2026 · arXiv
• Visual Confused Deputy: Exploiting and Defending Perception Failures in Computer-Using Agents
  March 16, 2026 · arXiv
• SlowBA: An efficiency backdoor attack towards VLM-based GUI agents
  March 9, 2026 · arXiv
• Zero-Permission Manipulation: Can We Trust Large Multimodal Model Powered GUI Agents?
  January 18, 2026 · arXiv
• AgentSentinel: An End-to-End and Real-Time Security Defense Framework for Computer-Use Agents
  September 9, 2025 · CCS 2025
• VPI-Bench: Visual Prompt Injection Attacks for Computer-Use Agents
  June 3, 2025 · ICLR 2026 (Poster)
• A Survey on the Safety and Security Threats of Computer-Using Agents: JARVIS or Ultron?
  May 16, 2025 · arXiv
• LLM-Powered GUI Agents in Phone Automation: Surveying Progress and Prospects
  April 28, 2025 · TMLR 2025
• MIP against Agent: Malicious Image Patches Hijacking Multimodal OS Agents
  March 13, 2025 · NeurIPS 2025 (Poster)
• Evaluating the Robustness of Multimodal Agents Against Active Environmental Injection Attacks
  February 18, 2025 · ACM MM 2025
• GUI Agents for Continual Game Generation
  May 27, 2026 · arXiv
• Odysseys: Benchmarking Web Agents on Realistic Long Horizon Tasks
  April 27, 2026 · arXiv