cs.CRcs.AIcs.CL
MIRAGE: Context-Aware Prompt Injection against Mobile GUI Agents via User-Generated Content
May 27, 2026
The paper introduces MIRAGE, a novel pipeline that generates context-aware prompt injection attacks by injecting malicious text into user-generated content regions of mobile screenshots, successfully demonstrating the vulnerability of current GUI agents.
Mobile graphical user interface (GUI) agents driven by vision-language models (VLMs) perceive the screen as rendered pixels and choose actions from what they see, so they cannot reliably separate trusted interface elements from user-generated content. We present MIRAGE (Mobile Injection of Realistic Adversarial GUI Examples), a pipeline that turns benign mobile screenshots into prompt-injection samples by placing attacker-controlled text into ordinary user-generated content regions, without modifying the agent, the application, or the operating system. MIRAGE operates in three stages: a Localizer identifies user-controllable regions on the screenshot, a Generator synthesises context-aware payloads and renders them in the application's native style, and a Curator moderates realism and balances the samples across applications, region types, and attack intents. A key challenge is that an injected screenshot must stay visually indistinguishable from genuine user content while still diverting the agent; we address this by separating the stages that control reach, realism, and distributional balance. On a 1,111-sample benchmark spanning ten applications and eleven attack intents, all five evaluated VLM agents are vulnerable, with attack success rates of 23%-30%, and MIRAGE scores higher on human realism ratings than the strongest prior attack (3.02 versus 2.52 out of 5). We further find that per-sample realism and attack success are uncorrelated, so visual-quality filtering alone cannot reliably defend against this threat.
UI-KOBE: Knowledge-Oriented Behavior Exploration for Lightweight Graph-Guided GUI Agents
UI-KOBE is a framework that enhances lightweight mobile GUI agents by integratin…
GUI Agents for Continual Game Generation
The paper proposes using GUI agents, both as objective evaluators and subjective…
Toward User Preference Alignment in LLM Recommendation via Explicit Context Feedback
The paper advocates for integrating explicit contextual feedback (like reviews a…
PhoneWorld: Scaling Phone-Use Agent Environments
The paper introduces PhoneWorld, a scalable pipeline that automatically converts…
Depth-Dependent Indirect Prompt Injection in Tool-Calling ReAct Agents: Injection Depth, Payload Fra…
The paper investigates indirect prompt injection vulnerabilities in ReAct agents…
Investigating Detection and Obfuscation of Prompt Injection Attacks Against Software Reverse Enginee…
This paper investigates prompt injection attacks targeting software reverse engi…
Measuring Real-World Prompt Injection Attacks in LLM-based Resume Screening
This study provides the first large-scale measurement of prompt injection attack…
Plant, Persist, Trigger: Sleeper Attack on Large Language Model Agents
This paper introduces the concept of 'Sleeper Attack,' demonstrating that advers…