Measuring the Security of Mobile LLM Agents under Adversarial Prompts from Untrusted Third-Party Channels

TL;DR

The paper addresses the security of mobile LLM agents by constructing a realistic adversarial benchmark that leverages untrusted mobile channels. It systematically evaluates eight representative agents across eight attack vectors aligned to MITRE ATT&CK Mobile, revealing pervasive vulnerabilities to prompt injections that enable data leakage, cross-app exfiltration, and malware deployment. The study provides end-to-end evidence that current mobile LLM agents are exploitable in practical settings, even when OS defenses are present, and emphasizes the need for defense-in-depth approaches and mobile-specific benchmarks. The findings have significant implications for deploying mobile LLM agents at scale, highlighting urgent work on intent verification, content isolation, and adversarial resilience.

Abstract

Large Language Models (LLMs) have transformed software development, enabling AI-powered applications known as LLM-based agents that promise to automate tasks across diverse apps and workflows. Yet, the security implications of deploying such agents in adversarial mobile environments remain poorly understood. In this paper, we present the first systematic study of security risks in mobile LLM agents. We design and evaluate a suite of adversarial case studies, ranging from opportunistic manipulations such as pop-up advertisements to advanced, end-to-end workflows involving malware installation and cross-app data exfiltration. Our evaluation covers eight state-of-the-art mobile agents across three architectures, with over 2,000 adversarial and paired benign trials. The results reveal systemic vulnerabilities: low-barrier vectors such as fraudulent ads succeed with over 80% reliability, while even workflows requiring the circumvention of operating-system warnings, such as malware installation, are consistently completed by advanced multi-app agents. By mapping these attacks to the MITRE ATT&CK Mobile framework, we uncover novel privilege-escalation and persistence pathways unique to LLM-driven automation. Collectively, our findings provide the first end-to-end evidence that mobile LLM agents are exploitable in realistic adversarial settings, where untrusted third-party channels (e.g., ads, embedded webviews, cross-app notifications) are an inherent part of the mobile ecosystem.

Figures (6)

• Figure 1:
• Figure 2: Mobile LLM agent Indirect Prompt Injection Pipeline. The user prompt $p$ consists of a system prompt and a user message. The agent gathers environment data $d$ through perception mechanisms such as screenshots and accessibility trees. The inputs are concatenated and passed to the foundation model $\mathcal{F}$, which produces an output used by the executor to interact with applications and system interfaces. The adversary can perform an indirect prompt injection by embedding a payload in $d$. A direct injection on $p$ is shown for completeness and is out of scope. The attack flow plans a sequence of steps: (i) open the Contacts app to retrieve Alice’s email address, (ii) navigate to the Notes app to obtain the meeting notes, and (iii) open the Email app to compose and send the message. During execution, the agent perceives its environment by locating applications and UI elements through screen capture, ensuring that each step is completed accurately.
• Figure 3: Examples of agent behaviors: (\ref{['fig:fraud']}) system data discovery and (\ref{['fig:content']}) cross-app data pivoting.
• Figure 4: Phishing via Fake Login
• Figure 5: Clipboard / OTP Harvesting