Zero-Permission Manipulation: Can We Trust Large Multimodal Model Powered GUI Agents?
Yi Qian , Kunwei Qian , Xingbang He , Ligeng Chen , Jikang Zhang , Tiantai Zhang , Haiyang Wei , Linzhang Wang , Hao Wu , Bing Mao
- 🏛 Institutions
- National Key Laboratory for Novel Software Technology , NJU , Honor Device Co. , Ltd. , Institute of Dataspace , Hefei Comprehensive National Science Center
- 📅 Date
- January 18, 2026
- 📑 Publisher
- arXiv
- 💻 Env
- Mobile
- 🔑 Keywords
TLDR
This paper introduces Action Rebinding, a zero-permission Android attack that exploits the observation-to-action gap in multimodal GUI agents by changing foreground UI state before the planned action executes. Across six agents and 15 tasks it achieves 100% atomic rebinding success, and with intent alignment can also bypass confirmation-style verification gates.
Related papers (24)
- Preference Redirection via Attention Concentration: An Attack on Computer Use AgentsApril 9, 2026 · arXiv
- VPI-Bench: Visual Prompt Injection Attacks for Computer-Use AgentsJune 3, 2025 · ICLR 2026 (Poster)
- AgentRAE: Remote Action Execution through Notification-based Visual Backdoors against Screenshots-based Mobile GUI AgentsMarch 24, 2026 · arXiv
- LLM-Powered GUI Agents in Phone Automation: Surveying Progress and ProspectsApril 28, 2025 · TMLR 2025
- Evaluating the Robustness of Multimodal Agents Against Active Environmental Injection AttacksFebruary 18, 2025 · ACM MM 2025
- The Blind Spot of Agent Safety: How Benign User Instructions Expose Critical Vulnerabilities in Computer-Use AgentsApril 12, 2026 · arXiv
- WebSP-Eval: Evaluating Web Agents on Website Security and Privacy TasksApril 7, 2026 · arXiv
- Visual Confused Deputy: Exploiting and Defending Perception Failures in Computer-Using AgentsMarch 16, 2026 · arXiv
- SlowBA: An efficiency backdoor attack towards VLM-based GUI agentsMarch 9, 2026 · arXiv
- Dual-Modality Multi-Stage Adversarial Safety Training: Robustifying Multimodal Web Agents Against Cross-Modal AttacksMarch 4, 2026 · arXiv
- WebSentinel: Detecting and Localizing Prompt Injection Attacks for Web AgentsFebruary 3, 2026 · arXiv
- Genesis: Evolving Attack Strategies for LLM Web Agent Red-TeamingOctober 21, 2025 · ICME 2026
- HackWorld: Evaluating Computer-Use Agents on Exploiting Web Application VulnerabilitiesOctober 14, 2025 · ICLR 2026 (Poster)
- Environmental Injection Attacks against GUI Agents in Realistic Dynamic EnvironmentsSeptember 14, 2025 · arXiv
- AgentSentinel: An End-to-End and Real-Time Security Defense Framework for Computer-Use AgentsSeptember 9, 2025 · CCS 2025
- RedTeamCUA: Realistic Adversarial Testing of Computer-Use Agents in Hybrid Web-OS EnvironmentsMay 28, 2025 · ICLR 2026 (Oral)
- WebInject: Prompt Injection Attack to Web AgentsMay 16, 2025 · EMNLP 2025 (Poster)
- A Survey on the Safety and Security Threats of Computer-Using Agents: JARVIS or Ultron?May 16, 2025 · arXiv
- WASP: Benchmarking Web Agent Security Against Prompt Injection AttacksApril 22, 2025 · NeurIPS 2025 (Poster)
- sudo rm -rf agentic_securityMarch 26, 2025 · ACL 2025 Industry Track
- MIP against Agent: Malicious Image Patches Hijacking Multimodal OS AgentsMarch 13, 2025 · NeurIPS 2025 (Poster)
- In-Context Defense in Computer Agents: An Empirical StudyMarch 12, 2025 · arXiv
- Why Are Web AI Agents More Vulnerable Than Standalone LLMs? A Security AnalysisFebruary 27, 2025 · arXiv
- Attacking Vision-Language Computer Agents via Pop-upsNovember 4, 2024 · ACL 2025