SlowBA: An efficiency backdoor attack towards VLM-based GUI agents

TL;DR

SlowBA is a backdoor attack that manipulates response latency in VLM-based GUI agents by inducing long reasoning chains, revealing a new security vulnerability related to response efficiency.

Contribution

The paper introduces SlowBA, a novel backdoor attack targeting response latency in GUI agents, with a reinforcement learning-based trigger mechanism and high stealthiness.

Findings

SlowBA significantly increases response latency while maintaining task accuracy.

The attack is effective with small poisoning ratios and under defense mechanisms.

It exposes a new security vulnerability in GUI agents related to response efficiency.

Abstract

Modern vision-language-model (VLM) based graphical user interface (GUI) agents are expected not only to execute actions accurately but also to respond to user instructions with low latency. While existing research on GUI-agent security mainly focuses on manipulating action correctness, the security risks related to response efficiency remain largely unexplored. In this paper, we introduce SlowBA, a novel backdoor attack that targets the responsiveness of VLM-based GUI agents. The key idea is to manipulate response latency by inducing excessively long reasoning chains under specific trigger patterns. To achieve this, we propose a two-stage reward-level backdoor injection (RBI) strategy that first aligns the long-response format and then learns trigger-aware activation through reinforcement learning. In addition, we design realistic pop-up windows as triggers that naturally appear in GUI environments, improving the stealthiness of the attack. Extensive experiments across multiple datasets and baselines demonstrate that SlowBA can significantly increase response length and latency while largely preserving task accuracy. The attack remains effective even with a small poisoning ratio and under several defense settings. These findings reveal a previously overlooked security vulnerability in GUI agents and highlight the need for defenses that consider both action correctness and response efficiency. Code can be found in https://github.com/tu-tuing/SlowBA.