Are GUI Agents Focused Enough? Automated Distraction via Semantic-level UI Element Injection

TL;DR

This paper introduces a practical method for attacking GUI agents by injecting semantic UI elements to mislead their visual grounding, revealing significant vulnerabilities across multiple models.

Contribution

It proposes a modular pipeline for semantic-level UI injection attacks that are effective, transferable across models, and demonstrate persistent influence on GUI agents.

Findings

Optimized attacks increase success rate by up to 4.4x over random injection.

Injected elements transfer effectively across different victim models.

Victims click attacker-controlled elements in over 15% of trials after initial success.

Abstract

Existing red-teaming studies on GUI agents have important limitations. Adversarial perturbations typically require white-box access, which is unavailable for commercial systems, while prompt injection is increasingly mitigated by stronger safety alignment. To study robustness under a more practical threat model, we propose Semantic-level UI Element Injection, a red-teaming setting that overlays safety-aligned and harmless UI elements onto screenshots to misdirect the agent's visual grounding. Our method uses a modular Editor-Overlapper-Victim pipeline and an iterative search procedure that samples multiple candidate edits, keeps the best cumulative overlay, and adapts future prompt strategies based on previous failures. Across five victim models, our optimized attacks improve attack success rate by up to 4.4x over random injection on the strongest victims. Moreover, elements optimized on one source model transfer effectively to other target models, indicating model-agnostic vulnerabilities. After the first successful attack, the victim still clicks the attacker-controlled element in more than 15% of later independent trials, versus below 1% for random injection, showing that the injected element acts as a persistent attractor rather than simple visual clutter.