MIRAGE: mobile GUI agents fooled by injected user-generated content

What is this?

On May 27, 2026, Ruoqi Guo, Yi Liu and co-authors (Griffith University, Quantstamp, Nanyang Technological University, Singapore Management University, UNSW and Wake Forest) posted MIRAGE: Context-Aware Prompt Injection against Mobile GUI Agents via User-Generated Content (arXiv 2605.28116). MIRAGE — Mobile Injection of Realistic Adversarial GUI Examples — is not a new attack class; it is an indirect prompt injection (the variant first formalized by Greshake et al. in 2023, where malicious instructions hide in third-party content the model later reads) applied to a fast-growing surface: mobile agents that drive apps by looking at the screen.

The finding is blunt. Mobile GUI agents built on vision–language models (VLMs) read the screen as rendered pixels, so they cannot reliably separate trusted interface elements from user-generated content (UGC) such as comments, reviews or profile bios. An attacker who can post that content can plant instructions the app renders normally — and the agent obeys them.

This is a defensive, research-side analysis. It contains no exploit payloads; the technique relies on already-published indirect-injection methods, and the paper’s own contribution is the evaluation and the demonstration that the most obvious defense does not work.

How it works

The threat model assumes no privileged access: the attacker does not modify the agent, the application, or the operating system. They only need to place text into a region a normal user could fill — a comment field, a caption, a bio. MIRAGE automates the production of such samples with a three-stage pipeline:

• Localizer. Finds user-controllable regions on a screenshot by tightening coarse VLM predictions with OCR guidance, so the payload lands where real UGC would appear.
• Generator. Writes a context-aware payload for each region and target intent, then renders it in the app’s native style with an image-editing model so typography and layout match the surrounding content. A reviewer step rejects payloads that read as explicit commands ("TAP HERE NOW") or that simply duplicate the user’s goal.
• Curator. Scores each render against an artefact taxonomy (overflow, truncation, font mismatch, glyph leakage) and rebalances the dataset across apps, region types, and the eleven attack intents.

The point of separating the stages is that an injected screenshot must stay visually indistinguishable from genuine content while still diverting the agent. Each attack intent maps to one action in the agent’s action space — for example, tapping the injected element instead of the legitimate target.

Why it matters

On a benchmark of 1,111 samples (built from 96 base screenshots across ten popular apps and eleven attack intents), all five evaluated agents were vulnerable, with attack success rates between 23.0% and 30.2%. The agents spanned the closed-weight gpt-4o-mini (highest, 30.2%) and four open-weight backbones — GLM-4.5V and Qwen3-VL at 8B, 30B-A3B and 32B (lowest, 23.0%).

Two results matter for defenders:

• It is not a single-model bug. The cross-model spread is only about 6 percentage points, far smaller than the ~23 pp cross-application and ~82 pp cross-intent spreads. The exploitable surface is set by what the attacker asks for, not by which model is behind the agent. Scaling the model up within a family helped only marginally. The authors read this as a property of the VLM-grounded GUI agent paradigm at currently deployed sizes.
• Looking clean does not mean safe. MIRAGE renders more plausibly than the strongest prior attack (human realism 3.02 vs 2.52 out of 5), and crucially, within MIRAGE a sample’s realism is uncorrelated with whether it succeeds (ρ = −0.03). That kills the most natural runtime defense — filtering out screenshots that “look off.”

As phone assistants gain the ability to act inside apps — tapping, typing, buying, replying — any feed of attacker-reachable content (marketplace listings, social comments, message threads) becomes an injection channel.

Defenses

The paper’s headline is that the easy defense fails, so the useful guidance is about where to actually invest:

• Do not rely on visual-quality filtering. A plausibility threshold rejects a representative slice of attacks, not the dangerous ones; a lightweight VLM-classifier probe confirmed this. Treat “the screenshot looks normal” as no evidence of safety.
• Constrain actions, not just inputs. Defenses that operate on action grounding — requiring that a tool call or tap be justified by the user’s actual goal rather than by on-screen text — remain the open, promising direction.
• Reduce the trusted surface. Where feasible, give the agent structured app state (accessibility tree, view hierarchy) alongside pixels, so UGC regions can be labelled untrusted rather than read as interface.
• Gate consequential actions. Require explicit user confirmation before purchases, messages, follows, or other state-changing taps the agent proposes, especially when the trigger originates in a comment, review, or bio.
• Test with realistic, deployment-style injections. Static prompt suites understate the risk. Evaluate agents against rendered, in-app UGC payloads across multiple intents, since intent — not model size — drives success.

Status

Item	Detail
Paper	”MIRAGE: Context-Aware Prompt Injection against Mobile GUI Agents via User-Generated Content”
arXiv ID	2605.28116
Posted	May 27, 2026
Benchmark	1,111 samples, 96 base screenshots, 10 apps, 11 attack intents
Agents tested	gpt-4o-mini, GLM-4.5V, Qwen3-VL (8B / 30B-A3B / 32B)
Attack success rate	23.0%–30.2% (all vulnerable)
Realism vs prior attack	3.02 vs 2.52 / 5; realism uncorrelated with success (ρ = −0.03)
Failed defense	Visual-quality / realism filtering
Open directions	Payload-semantics checks, action-grounding constraints, restricting the user-controllable surface
Nature	Defensive research — no exploit payloads