Are GUI Agents Focused Enough? Automated Distraction via Semantic-level UI Element Injection

This paper proposes Semantic-level UI Element Injection, a red-teaming method that overlays safety-aligned UI elements onto screenshots to misdirect GUI agents' visual grounding. Using a modular Editor-Overlapper-Victim pipeline with iterative search, optimized attacks improve attack success rate by up to 4.4x over random injection and transfer across models.

• When Benign Inputs Lead to Severe Harms: Eliciting Unsafe Unintended Behaviors of Computer-Use Agents
  February 9, 2026 · arXiv
• AdvAgent: Controllable Blackbox Red-teaming on Web Agents
  October 22, 2024 · ICML 2025 (Poster)
• Refusal-Trained LLMs Are Easily Jailbroken As Browser Agents
  October 11, 2024 · arXiv
• Human-Guided Harm Recovery for Computer Use Agents
  April 20, 2026 · arXiv
• CocoaBench: Evaluating Unified Digital Agents in the Wild
  April 13, 2026 · arXiv
• LPS-Bench: Benchmarking Safety Awareness of Computer-Use Agents in Long-Horizon Planning under Benign and Adversarial Scenarios
  February 3, 2026 · arXiv
• SafePred: A Predictive Guardrail for Computer-Using Agents via World Models
  February 2, 2026 · arXiv
• ToolTok: Tool Tokenization for Efficient and Generalizable GUI Agents
  January 30, 2026 · arXiv
• iSHIFT: Lightweight Slow-Fast GUI Agent with Adaptive Perception
  December 26, 2025 · arXiv
• GEM: Gaussian Embedding Modeling for Out-of-Distribution Detection in GUI Agents
  May 19, 2025 · arXiv
• A Survey on the Safety and Security Threats of Computer-Using Agents: JARVIS or Ultron?
  May 16, 2025 · arXiv
• OS Agents: A Survey on MLLM-based Agents for Computer, Phone and Browser Use
  December 20, 2024 · ACL 2025
• Visual Grounding for User Interfaces
  June 16, 2024 · NAACL 2024 Industry Track
• The Blind Spot of Agent Safety: How Benign User Instructions Expose Critical Vulnerabilities in Computer-Use Agents
  April 12, 2026 · arXiv
• CORA: Conformal Risk-Controlled Agents for Safeguarded Mobile GUI Automation
  April 10, 2026 · arXiv
• Preference Redirection via Attention Concentration: An Attack on Computer Use Agents
  April 9, 2026 · arXiv
• Dual-Modality Multi-Stage Adversarial Safety Training: Robustifying Multimodal Web Agents Against Cross-Modal Attacks
  March 4, 2026 · arXiv
• When Actions Go Off-Task: Detecting and Correcting Misaligned Actions in Computer-Use Agents
  February 9, 2026 · arXiv
• How do Visual Attributes Influence Web Agents? A Comprehensive Evaluation of User Interface Design Factors
  January 29, 2026 · arXiv
• CaMeLs Can Use Computers Too: System-level Security for Computer Use Agents
  January 14, 2026 · arXiv
• WebTrap Park: An Automated Platform for Systematic Security Evaluation of Web Agents
  January 13, 2026 · arXiv
• It's a TRAP! Task-Redirecting Agent Persuasion Benchmark for Web Agents
  December 29, 2025 · arXiv
• DECEPTICON: How Dark Patterns Manipulate Web Agents
  December 28, 2025 · arXiv
• Permission Manifests for Web Agents
  December 7, 2025 · arXiv