VisualTrap: A Stealthy Backdoor Attack on GUI Agents via Visual Grounding Manipulation

TL;DR

This paper introduces VisualTrap, a novel backdoor attack method targeting GUI agents powered by vision-language models, demonstrating its effectiveness and stealthiness in hijacking visual grounding across various environments.

Contribution

The work reveals a new vulnerability in GUI agents' visual grounding and proposes VisualTrap, a practical attack method that remains effective even with minimal poisoned data and across different GUI platforms.

Findings

Effective hijacking with as little as 5% poisoned data

Stealthy triggers invisible to humans

Generalizes across mobile, web, and desktop environments

Abstract

Graphical User Interface (GUI) agents powered by Large Vision-Language Models (LVLMs) have emerged as a revolutionary approach to automating human-machine interactions, capable of autonomously operating personal devices (e.g., mobile phones) or applications within the device to perform complex real-world tasks in a human-like manner. However, their close integration with personal devices raises significant security concerns, with many threats, including backdoor attacks, remaining largely unexplored. This work reveals that the visual grounding of GUI agent-mapping textual plans to GUI elements-can introduce vulnerabilities, enabling new types of backdoor attacks. With backdoor attack targeting visual grounding, the agent's behavior can be compromised even when given correct task-solving plans. To validate this vulnerability, we propose VisualTrap, a method that can hijack the grounding by misleading the agent to locate textual plans to trigger locations instead of the intended targets. VisualTrap uses the common method of injecting poisoned data for attacks, and does so during the pre-training of visual grounding to ensure practical feasibility of attacking. Empirical results show that VisualTrap can effectively hijack visual grounding with as little as 5% poisoned data and highly stealthy visual triggers (invisible to the human eye); and the attack can be generalized to downstream tasks, even after clean fine-tuning. Moreover, the injected trigger can remain effective across different GUI environments, e.g., being trained on mobile/web and generalizing to desktop environments. These findings underscore the urgent need for further research on backdoor attack risks in GUI agents.