Saved in:
Bibliographic Details
Main Authors: Ye, Ziang, Zhang, Yang, Shi, Wentao, You, Xiaoyu, Feng, Fuli, Chua, Tat-Seng
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2507.06899
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914053344985088
author Ye, Ziang
Zhang, Yang
Shi, Wentao
You, Xiaoyu
Feng, Fuli
Chua, Tat-Seng
author_facet Ye, Ziang
Zhang, Yang
Shi, Wentao
You, Xiaoyu
Feng, Fuli
Chua, Tat-Seng
contents Graphical User Interface (GUI) agents powered by Large Vision-Language Models (LVLMs) have emerged as a revolutionary approach to automating human-machine interactions, capable of autonomously operating personal devices (e.g., mobile phones) or applications within the device to perform complex real-world tasks in a human-like manner. However, their close integration with personal devices raises significant security concerns, with many threats, including backdoor attacks, remaining largely unexplored. This work reveals that the visual grounding of GUI agent-mapping textual plans to GUI elements-can introduce vulnerabilities, enabling new types of backdoor attacks. With backdoor attack targeting visual grounding, the agent's behavior can be compromised even when given correct task-solving plans. To validate this vulnerability, we propose VisualTrap, a method that can hijack the grounding by misleading the agent to locate textual plans to trigger locations instead of the intended targets. VisualTrap uses the common method of injecting poisoned data for attacks, and does so during the pre-training of visual grounding to ensure practical feasibility of attacking. Empirical results show that VisualTrap can effectively hijack visual grounding with as little as 5% poisoned data and highly stealthy visual triggers (invisible to the human eye); and the attack can be generalized to downstream tasks, even after clean fine-tuning. Moreover, the injected trigger can remain effective across different GUI environments, e.g., being trained on mobile/web and generalizing to desktop environments. These findings underscore the urgent need for further research on backdoor attack risks in GUI agents.
format Preprint
id arxiv_https___arxiv_org_abs_2507_06899
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle VisualTrap: A Stealthy Backdoor Attack on GUI Agents via Visual Grounding Manipulation
Ye, Ziang
Zhang, Yang
Shi, Wentao
You, Xiaoyu
Feng, Fuli
Chua, Tat-Seng
Computation and Language
Artificial Intelligence
Graphical User Interface (GUI) agents powered by Large Vision-Language Models (LVLMs) have emerged as a revolutionary approach to automating human-machine interactions, capable of autonomously operating personal devices (e.g., mobile phones) or applications within the device to perform complex real-world tasks in a human-like manner. However, their close integration with personal devices raises significant security concerns, with many threats, including backdoor attacks, remaining largely unexplored. This work reveals that the visual grounding of GUI agent-mapping textual plans to GUI elements-can introduce vulnerabilities, enabling new types of backdoor attacks. With backdoor attack targeting visual grounding, the agent's behavior can be compromised even when given correct task-solving plans. To validate this vulnerability, we propose VisualTrap, a method that can hijack the grounding by misleading the agent to locate textual plans to trigger locations instead of the intended targets. VisualTrap uses the common method of injecting poisoned data for attacks, and does so during the pre-training of visual grounding to ensure practical feasibility of attacking. Empirical results show that VisualTrap can effectively hijack visual grounding with as little as 5% poisoned data and highly stealthy visual triggers (invisible to the human eye); and the attack can be generalized to downstream tasks, even after clean fine-tuning. Moreover, the injected trigger can remain effective across different GUI environments, e.g., being trained on mobile/web and generalizing to desktop environments. These findings underscore the urgent need for further research on backdoor attack risks in GUI agents.
title VisualTrap: A Stealthy Backdoor Attack on GUI Agents via Visual Grounding Manipulation
topic Computation and Language
Artificial Intelligence
url https://arxiv.org/abs/2507.06899