Mind the Gap: Action Rebinding Attacks against Android GUI Agents
arXiv cs.AI 18 hours ago
Researchers demonstrated a cross-application attack called Action Rebinding that allows malicious Android apps with zero permissions to hijack GUI agents powered by large multimodal models and perform privileged operations like deleting files or sending SMS. The attack exploits the observation-action gap in the agent's reasoning pipeline by rendering a benign app to trigger an intended action, then swapping to a sensitive target app during reasoning latency, with a 100% success rate across six tested Android GUI agents. This attack bypasses Android's application sandboxing security model and evades malware detection tools because the malicious app contains no privileged API calls, creating a fundamental security conflict between GUI automation agents and mobile platform security architecture.