Active Environment Injection Attack (AEIA)

• AEIA is an adversarial technique that manipulates an agent’s operational environment by injecting malicious cues to trigger unauthorized or incorrect actions.
• The attack achieves high success rates (60–90% or more) across digital, cyber-physical, and hybrid systems by exploiting environmental context.
• Research reveals that while various optimization methods and defenses exist, effective countermeasures against AEIA remain largely unresolved.

Active Environment Injection Attack (AEIA) is a class of adversarial technique in which an attacker manipulates the operational environment of an automated agent—typically an LLM- or multimodal agent—to induce unauthorized, incorrect, or malicious behavior. Unlike direct prompt injection or code manipulation attacks, AEIA exploits the agent's reliance on environmental context by carefully crafting or inserting malicious content, signals, or cues within the agent’s perceptual or interaction space. AEIAs have been demonstrated across digital (web agents, GUI, OS-level agents), cyber-physical (actuator systems), and hybrid (context memory) domains, with attack success rates regularly surpassing 60–90% in realistic scenarios. Successful countermeasures remain largely unsolved for open-world, multimodal agents.

1. Formal Definitions and Canonical Threat Models

A general AEIA is characterized by the introduction of adversarial content or signals into the agent’s input environment. For a web or GUI agent, this typically involves perturbing the DOM, injecting synthetic HTML/CSS elements, crafting environmental cues (e.g., popups, ads), or introducing adversarial stimuli at the pixel or attention level. For OS-level and actuator systems, injection often manifests as adversarial notifications or physical-layer signals.

Let $E$ denote the environmental state (e.g., webpage DOM, OS UI, actuator signals), $A$ the agent, $V \subset E$ an “injection vector” under attacker control, and $I_\mathrm{mal}$ the malicious instructions or signals. The AEIA satisfies:

• Agent $A$ interacts with $E$, retrieving $V$ as part of its normal task execution.
• $A$ treats $I_\mathrm{mal}$ as legitimate context, leading to a final action trajectory $\tau_\mathrm{attack}$ that deviates from the user-specified goal $G_\mathrm{user}$.
• Attack Success Rate (ASR) is defined as:

$$\mathrm{ASR} = \frac{\#\{\text{tasks where AEIA causes deviation}\}}{\#\{\text{total tasks}\}}$$

AEIAs are further stratified by white-box/black-box agent access, domain (web, operating system, actuator), the attacker’s knowledge and capabilities, and whether the perturbation is static or adaptively optimized (Wang et al., 27 May 2025, Wang et al., 16 May 2025, Chen et al., 18 Feb 2025, Chen et al., 2015).

2. Instantiations and Methodological Variants

AEIAs have been instantiated via a spectrum of methodologies:

• Web Agent Injection: Attacker crafts and injects HTML/CSS snippets (static or contextually optimized ads, forms, helper text) into the DOM, aiming to hijack the agent’s action selection by leveraging visual saliency, critical notification framing, or intent speculation. AdInject is a canonical black-box attack operating via internet advertising delivery. Content is optimized via VLM-based two-stage loops (intent speculation and ad refinement) to maximize agent engagement (Wang et al., 27 May 2025).
• Pixel-Space Attacks: In EnvInjection, the adversary searches for imperceptible pixel perturbations $\delta$ that, after passing through a non-differentiable browser/device pipeline (ICC transform, resizing), consistently induce target actions. This requires neural approximation of rendering to enable gradient-based optimization (Wang et al., 16 May 2025).
• GUI and LVLM-Based Agents: Chameleon combines LLM-driven environment simulation (diverse, high-fidelity HTML+content generation) with an “attention black hole” objective to force LVLM agents’ focus onto a small adversarial trigger amid a dynamic environment (Zhang et al., 14 Sep 2025). EVA implements closed-loop, attention-guided cue optimization, evolving adversarial overlays to maximize action hijack rate across user tasks and agent architectures (Lu et al., 20 May 2025).
• OS and Mobile Notification: AEIA-MN exploits adversarial notifications and “reasoning gap” vulnerabilities (timing attacks during model inference freeze) to poison the agent’s perceptual channel and control flow, using combinatorial strategies for maximal effect (Chen et al., 18 Feb 2025).
• Actuator/Physical-Layer Attacks: In the current-injection attack on physical key exchange, AEIA is realized as electromagnetic signal injection into control wires, bypassing logic to induce physical actuation or leak information (Chen et al., 2015, Zhang et al., 2022).

3. Empirical Evaluation and Impact

Across domains, AEIAs have demonstrated high effectiveness.

Agent Domain	Representative AEIA	Key Metric(s)	Typical ASR Range	Notable Details
Web VLM Agents	AdInject	ASR	60%–95%	Black-box, no intent knowledge; VLM optimization boosts success by 10–30 pp (Wang et al., 27 May 2025)
Multimodal/Pixel Agents	EnvInjection	ASR	96–98%	White-box MLLM, imperceptible $\ell_\infty$ perturbations (Wang et al., 16 May 2025)
GUI LVLM	Chameleon	ASR	16–50%	Dynamic contexts, small trigger, attention-guidance (Zhang et al., 14 Sep 2025)
Mobile OS Agents	AEIA-MN	ASR	up to 93%	Notification + reasoning gap exploitation (Chen et al., 18 Feb 2025)
Actuator Systems	Current Injection	Detection rate	97–100% (if unmitigated)	Provable detection with reference sensing (Chen et al., 2015, Zhang et al., 2022)

In web agents, AEIA mechanisms can induce agent policies to click adversarial elements (ads, forms), leak PII, or subvert intended action sequences. For mobile or OS-level agents, attack vectors such as notifications or reasoning pauses allow adversarial environment state manipulations, highlighted by drops in task performance and success rates nearing 100% attack rates in worst-case scenarios (Chen et al., 18 Feb 2025).

In actuator systems, AEIAs enable EM-based command injection with full system compromise unless mitigated by real-time voltage/current comparison and authenticated sensing.

4. Key Techniques for Attack Optimization

AEIA research has converged on several families of attack optimization methods:

• Content and Intent Inference: Attackers use external VLMs to infer user intent from observed page structure, crafting environment cues that are semantically aligned with plausible agent goals, yielding significant ASR improvements (Wang et al., 27 May 2025).
• Gradient-Based Perturbation with Pipeline Modeling: Where the rendering/observation pipeline is non-differentiable, surrogates (e.g., U-Net for pixel mapping after ICC/resizing) are trained to enable projected gradient descent in a white-box setting (Wang et al., 16 May 2025, Zhang et al., 14 Sep 2025).
• Attention and Closed-Loop Mutation: AEIAs benefit from dynamic, feedback-driven mutation of environmental cues guided by observed or estimated model attention maps. The EVA framework maintains and evolves a utility-weighted cue lexicon, augmenting persuasive/urgent language and iteratively shifting placement to maximize observed success across agent models (Lu et al., 20 May 2025).
• Stealth and Persistence: Highly effective AEIAs often minimize visual footprint (opacity masking, aria-label hijack) and blend into plausible context, defeating both human inspection and automated scanning. Attackers exploit the inability of models to semantically distinguish benign guidance from malicious cues within contextually likely injection vectors (Liao et al., 2024).

5. Defense Mechanisms and Limitations

Empirical evaluations across AgentDojo, AgentDyn, and context-manipulation studies have shown existing defenses to be insufficient against AEIA, especially in open-ended, dynamic, or multimodal environments.

Common defense categories and their empirical trade-offs:

Defense Mechanism	Principle	Typical ASR Reduction	Drawbacks
Input Delimiting, Data Markers	Fence off tool outputs	53%→46%	Modest gain, easy to bypass
Classifier-based Detection	Filter injected content	ASR as low as 7.9%	High false positive/negative rate
Prompt Sandwiching	Re-anchor on user prompt	ASR drops to ~30%	Non-zero over-defense
Tool/Function Filtering	Hide unused APIs/tools	ASR ≤7.5%	Catastrophic utility loss in open-ended tasks (Li et al., 3 Feb 2026)
Environmental Ledger, Input Whitelist	Authenticate environment signals	Bleed-through persists	Adoption requires deep system support (Chen et al., 18 Feb 2025)
DOM/Post-Deployment Monitoring	Detect zero-opacity/forms/etc.	Case-dependent	Bypassed by context-aligned optimization (Liao et al., 2024)
Adversarial Training, Denoising	Retrain for robustness	Open challenge	No empirical evidence of generalizability

Over-defense (blocking legitimate instructions) and under-defense (letting through malicious cues) are chronic tradeoffs, particularly in dynamic, tool-chaining, or context-adaptive scenarios as benchmarked in AgentDyn (Li et al., 3 Feb 2026). Defenses requiring strict input isolation, formal provenance, or tool whitelisting can severely degrade agent utility in realistic deployments.

Memory and plan injection attacks bypass promptbased defenses entirely, achieving up to 3× higher attack success than prompt injection even under strong countermeasures. Only memory integrity enforcement and consistency checking appear to offer marginal robustness (Patlan et al., 18 Jun 2025).

6. Cross-Domain Generalization and Emerging Trends

AEIAs span beyond digital agents. Actuator systems exhibit analogous vulnerability to physical-layer (signal, EM) environment injection, with detection requiring physical comparison or privacy amplification techniques (Chen et al., 2015, Zhang et al., 2022). Context-manipulation and plan injection attacks generalize the AEIA concept to any agent relying on external or third-party memory, introducing exclusive risks in robotics and industrial systems. In all domains, AEIAs exploit the agent’s assumption of environment trust and surface at the interface between perception and decision logic.

Recent research has highlighted the need for:

• Environment authentication architectures (e.g., environmental ledger, root-of-trust memory (Chen et al., 18 Feb 2025, Patlan et al., 18 Jun 2025))
• Hierarchical, provenance-aware input processing
• Taint tracking and semantic anomaly detection
• Alignment and fine-tuning covering dynamic, open-world, and memory attacks
• Dynamic benchmarking on long-horizon, robust agent tasks (Li et al., 3 Feb 2026)

Open challenges include designing robust multimodal architectures, scalable environment–agent co-evolution benchmarks, and formal metrics bounding AEIA success under adversarial adaptation.

7. Representative Benchmarks and Evaluation Protocols

AEIA attacks and defenses are systematically studied in AgentDojo (static, tool-oriented LLM agent environment) and AgentDyn (dynamic, open-ended agent-environment tasks). Key features in these frameworks:

• Support for cross-task, cross-domain, and open-ended scenario evaluation
• Co-location of benign and malicious cues, requiring context-sensitive filtering
• Metrics quantifying attack success rate (ASR), utility loss, over-/under-defense, and false positive/negative rates (Debenedetti et al., 2024, Li et al., 3 Feb 2026)

Empirical evidence from AgentDojo and AgentDyn demonstrates ASR of >50% with no defense, reduction to 7–10% only by tool filtering (at the cost of extreme utility loss), and persistent vulnerabilities even in alignment-augmented models (residual ASR ∼9%) (Li et al., 3 Feb 2026).

• "AdInject: Real-World Black-Box Attacks on Web Agents via Advertising Delivery" (Wang et al., 27 May 2025)
• "EnvInjection: Environmental Prompt Injection Attack to Multi-modal Web Agents" (Wang et al., 16 May 2025)
• "Evaluating the Robustness of Multimodal Agents Against Active Environmental Injection Attacks" (Chen et al., 18 Feb 2025)
• "Detection of Electromagnetic Signal Injection Attacks on Actuator Systems" (Zhang et al., 2022)
• "Current Injection Attack against the KLJN Secure Key Exchange" (Chen et al., 2015)
• "EIA: Environmental Injection Attack on Generalist Web Agents for Privacy Leakage" (Liao et al., 2024)
• "Realistic Environmental Injection Attacks on GUI Agents" (Zhang et al., 14 Sep 2025)
• "EVA: Red-Teaming GUI Agents via Evolving Indirect Prompt Injection" (Lu et al., 20 May 2025)
• "Context manipulation attacks : Web agents are susceptible to corrupted memory" (Patlan et al., 18 Jun 2025)
• "AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents" (Debenedetti et al., 2024)
• "AgentDyn: A Dynamic Open-Ended Benchmark for Evaluating Prompt Injection Attacks of Real-World Agent Security System" (Li et al., 3 Feb 2026)