DualTAP: A Dual-Task Adversarial Protector for Mobile MLLM Agents

TL;DR

DualTAP is a novel framework that effectively protects user PII in mobile MLLM agents by balancing privacy preservation and task utility through dual-task adversarial training and a contrastive attention mechanism.

Contribution

It introduces DualTAP, the first method to explicitly decouple privacy protection and task utility in mobile MLLM agents, along with the PrivScreen dataset for evaluation.

Findings

Reduces privacy leakage rate by 31.6 percentage points.

Maintains 80.8% task success rate with minimal utility loss.

Demonstrates state-of-the-art privacy protection on six diverse MLLMs.

Abstract

The reliance of mobile GUI agents on Multimodal Large Language Models (MLLMs) introduces a severe privacy vulnerability: screenshots containing Personally Identifiable Information (PII) are often sent to untrusted, third-party routers. These routers can exploit their own MLLMs to mine this data, violating user privacy. Existing privacy perturbations fail the critical dual challenge of this scenario: protecting PII from the router's MLLM while simultaneously preserving task utility for the agent's MLLM. To address this gap, we propose the Dual-Task Adversarial Protector (DualTAP), a novel framework that, for the first time, explicitly decouples these conflicting objectives. DualTAP trains a lightweight generator using two key innovations: (i) a contrastive attention module that precisely identifies and targets only the PII-sensitive regions, and (ii) a dual-task adversarial objective that simultaneously minimizes a task-preservation loss (to maintain agent utility) and a privacy-interference loss (to suppress PII leakage). To facilitate this study, we introduce PrivScreen, a new dataset of annotated mobile screenshots designed specifically for this dual-task evaluation. Comprehensive experiments on six diverse MLLMs (e.g., GPT-5) demonstrate DualTAP's state-of-the-art protection. It reduces the average privacy leakage rate by 31.6 percentage points (a 3.0x relative improvement) while, critically, maintaining an 80.8% task success rate - a negligible drop from the 83.6% unprotected baseline. DualTAP presents the first viable solution to the privacy-utility trade-off in mobile MLLM agents.