50 Shades of Deceptive Patterns: A Unified Taxonomy, Multimodal Detection, and Security Implications
Zewei Shi, Ruoxi Sun, Jieshan Chen, Jiamou Sun, Minhui Xue, Yansong Gao, Feng Liu, Xingliang Yuan
TL;DR
This work tackles the rising challenge of deceptive patterns (DPs) in UI by proposing a unified taxonomy that incorporates security and privacy considerations across mobile and web platforms. It builds a cross-platform DP dataset totaling 10,421 DP instances and 3,377 non-DP images, then introduces DPGuard, a hybrid detector that first uses a binary CNN classifier and then a multimodal LLM with a mutation-based prompting loop to classify DP types. The approach yields state-of-the-art performance, with a binary ResNet101 achieving high DP/non-DP F1 and the MLLM-based component improving DP-category typing through iterative prompt optimization. An extensive in-the-wild evaluation reveals substantial DP prevalence: roughly a quarter of mobile apps and half of websites contain DP instances, underscoring the practical impact of automated, scalable DP detection. The paper also extends four DP categories with concrete security implications, illustrating how the unified taxonomy can guide policy, user protection, and future research in a rapidly evolving deception landscape.
Abstract
Deceptive patterns (DPs) are user interface designs deliberately crafted to manipulate users into unintended decisions, often by exploiting cognitive biases for the benefit of companies or services. While numerous studies have explored ways to identify these deceptive patterns, many existing solutions require significant human intervention and struggle to keep pace with the evolving nature of deceptive designs. To address these challenges, we expanded the deceptive pattern taxonomy from security and privacy perspectives, refining its categories and scope. We created a comprehensive dataset of deceptive patterns by integrating existing small-scale datasets with new samples, resulting in 6,725 images and 10,421 DP instances from mobile apps and websites. We then developed DPGuard, a novel automatic tool leveraging commercial multimodal large language models (MLLMs) for deceptive pattern detection. Experimental results show that DPGuard outperforms state-of-the-art methods. Finally, we conducted an extensive empirical evaluation on 2,000 popular mobile apps and websites, revealing that 23.61% of mobile screenshots and 47.27% of website screenshots feature at least one deceptive pattern instance. Through four unexplored case studies that inform security implications, we highlight the critical importance of the unified taxonomy in addressing the growing challenges of Internet deception.
