Hidden Ghost Hand: Unveiling Backdoor Vulnerabilities in MLLM-Powered Mobile GUI Agents

TL;DR

MLLM-powered GUI agents enable complex human-AI interactions but introduce supply-chain backdoor vulnerabilities. The authors propose AgentGhost, an episode-level backdoor framework that activates via combined goal- and interaction-level triggers and optimizes a min-max objective using $L_{\text{max}}$ and $L_{\text{min}}$ to maximize trigger separation while preserving task utility. They validate on AndroidControl and AITZ across models, reporting attack success near $99.7\%$ with less than $1\%$ utility loss and demonstrating three backdoor targets: privacy leakage, system paralysis, and malicious network activity. A self-reflection defense is proposed that reduces AMR to $22.1\%$, suggesting practical defenses and implications for securing MLLM-based GUI agents.

Abstract

Graphical user interface (GUI) agents powered by multimodal large language models (MLLMs) have shown greater promise for human-interaction. However, due to the high fine-tuning cost, users often rely on open-source GUI agents or APIs offered by AI providers, which introduces a critical but underexplored supply chain threat: backdoor attacks. In this work, we first unveil that MLLM-powered GUI agents naturally expose multiple interaction-level triggers, such as historical steps, environment states, and task progress. Based on this observation, we introduce AgentGhost, an effective and stealthy framework for red-teaming backdoor attacks. Specifically, we first construct composite triggers by combining goal and interaction levels, allowing GUI agents to unintentionally activate backdoors while ensuring task utility. Then, we formulate backdoor injection as a Min-Max optimization problem that uses supervised contrastive learning to maximize the feature difference across sample classes at the representation space, improving flexibility of the backdoor. Meanwhile, it adopts supervised fine-tuning to minimize the discrepancy between backdoor and clean behavior generation, enhancing effectiveness and utility. Extensive evaluations of various agent models in two established mobile benchmarks show that AgentGhost is effective and generic, with attack accuracy that reaches 99.7\% on three attack objectives, and shows stealthiness with only 1\% utility degradation. Furthermore, we tailor a defense method against AgentGhost that reduces the attack accuracy to 22.1\%. Our code is available at \texttt{anonymous}.

Figures (10)

• Figure 1: (a) overview of attack scenarios; (b) normal behavior of AgentGhost; (c) AgentGhost is activated by attack behaviors triggered by a combination of user goals and interaction episodes (related to history actions). The remaining two attack behaviors, concerning environment status and task progress, are illustrated in Figure \ref{['a1']}.
• Figure 2: Overview of AgentGhost. We first build three poisoning subsets—environment states, historical actions, and task progress—based on episodes aligned with the attack target. Then, a min-max optimization is applied to implant backdoors into the model. Finally, we simulate user behavior that unknowingly triggers AgentGhost.
• Figure 3: Attack effectiveness and utility of AgentGhost across different poisoning rates.
• Figure 4: Visualization of dimensionality-reduced output feature vectors from the AgentGhost.
• Figure 5: (a) AgentGhost is activated when the user goal contains Search for and the interaction triggers stem from environmental status, such as time or pop-ups; (b) AgentGhost is also activated when the user goal contains gmail.com and the interaction triggers are related to specific task progress.