The rapid adoption of mobile graphical user interface (GUI) agents, which autonomously control applications and operating systems (OS), exposes new system-level attack surfaces. Existing backdoors against web GUI agents and general GenAI models rely on environmental injection or deceptive pop-ups to mislead the agent operation. However, these techniques do not work on screenshots-based mobile GUI agents due to the challenges of restricted trigger design spaces, OS background interference, and conflicts in multiple trigger-action mappings. We propose AgentRAE, a novel backdoor attack capable of inducing Remote Action Execution in mobile GUI agents using visually natural triggers (e.g., benign app icons in notifications). To address the underfitting caused by natural triggers and achieve accurate multi-target action redirection, we design a novel two-stage pipeline that first enhances the agent's sensitivity to subtle iconographic differences via contrastive learning, and then associates each trigger with a specific mobile GUI agent action through a backdoor post-training. Our extensive evaluation reveals that the proposed backdoor preserves clean performance with an attack success rate of over 90% across ten mobile operations. Furthermore, it is hard to visibly detect the benign-looking triggers and circumvents eight representative state-of-the-art defenses. These results expose an overlooked backdoor vector in mobile GUI agents, underscoring the need for defenses that scrutinize notification-conditioned behaviors and internal agent representations.

翻译：移动图形用户界面（GUI）代理的快速普及——这类代理能够自主控制应用程序和操作系统——暴露了新的系统级攻击面。现有针对网页GUI代理和通用生成式AI模型的后门攻击，主要依赖环境注入或欺骗性弹窗误导代理操作。然而，由于受限触发器设计空间、操作系统背景干扰以及多重触发-动作映射的冲突性，这些技术无法有效攻击截图型移动GUI代理。我们提出AgentRAE，一种新型后门攻击方法，能够利用视觉自然的触发器（如通知中的良性应用图标）在移动GUI代理中诱导远程动作执行。为解决自然触发器导致的欠拟合问题，并实现精准的多目标动作重定向，我们设计了一种新颖的两阶段流水线：首先通过对比学习增强代理对细微图标差异的敏感性，随后通过后门后训练将每个触发器与特定移动GUI代理动作相关联。广泛评估表明，所提出的后门在保持洁净性能的前提下，对十种移动操作的攻击成功率超过90%。此外，该后门难以通过视觉检测发现良性外观触发器，并能规避八种代表性防御机制。这些结果揭示了移动GUI代理中一个被忽视的后门攻击向量，强调了亟需针对通知条件化行为及代理内部表征进行审查的防御措施。