AudioHijack: Audio-Prompt Injection Attacks
- AudioHijack is a novel class of attacks that manipulate audio inputs to induce unintended behaviors in large audio-language models (LALMs).
- The framework employs sampling-based gradient estimation, attention-guided multi-context training, and convolutional perturbation blending for imperceptible, context-agnostic prompt injection.
- Empirical evaluations on 13 state-of-the-art LALMs demonstrate high success rates and highlight challenges in detection and mitigation of audio-mediated control attacks.
AudioHijack denotes a class of attacks in which the audio channel is used to subvert the behavior, confidentiality, integrity, or provenance of audio-processing systems; in its most specific contemporary usage, it refers to a 2026 framework for context-agnostic and imperceptible auditory prompt injection against large audio-LLMs (LALMs), where an attacker modifies only the audio data supplied to the model and thereby induces attacker-chosen downstream behavior under unseen user contexts (Chen et al., 16 Apr 2026). In the broader literature, closely related phenomena include adversarial automatic speech recognition (ASR) manipulation, replay-based command injection, covert audio-channel creation, unintended cloud audio transmission, and post-capture authenticity verification. Taken together, these works define AudioHijack as a security problem of audio-mediated control, surveillance, and deception rather than merely a signal-processing anomaly.
1. Definition, scope, and threat model
In the 2026 formulation, AudioHijack is a third-party auditory prompt injection attack against LALMs. The attacker does not control the victimās text or speech instruction and has only audio data-only access: the attacker can tamper with the audio content that will later be processed by the model, but neither sees nor influences the userās context. The attack target is the modelās behavior, not simply its transcription. The adversarial objective is to craft audio from benign audio such that the model behaves according to a target malicious behavior under arbitrary user context , while maintaining perceptual similarity to the original audio (Chen et al., 16 Apr 2026).
This threat model is narrower and more realistic than standard prompt-control assumptions. The attacker is assumed to operate through uploaded audio files, meeting recordings, online videos, or auto-ingested multimedia in assistant and agent pipelines. That framing distinguishes AudioHijack from conventional text jailbreaks and from audio attacks that require temporal alignment with the userās utterance.
A common misconception is to equate AudioHijack with any malicious audio. The literature supports a more granular taxonomy. Some attacks hijack model outputs, as in adversarial ASR or LALM prompt injection; some hijack device channels, as in microphone/speaker abuse; and some hijack trust, as in forged or replayed audio accepted as genuine. This suggests that āAudioHijackā is best understood as an umbrella category whose unifying property is attacker leverage through the audio pathway rather than through text, software APIs alone, or physical compromise alone.
2. Formal objectives and core attack surfaces
The contemporary AudioHijack framework formalizes the attack as
and also as the constrained optimization problem
where is the target response embedding the attackerās instruction (Chen et al., 16 Apr 2026).
The attack surface arises from the architecture of LALMs themselves. Audio is continuous, high-dimensional, and often tokenized by non-differentiable front ends before being fused with text or latent linguistic representations. AudioHijack exploits that multimodal integration point. Its threat is therefore distinct from earlier ASR attacks, whose objective was typically a malicious transcription such as for a target phrase (Das et al., 2018).
This distinction matters operationally. In ASR-targeted attacks, the adversary forces a recognizer to emit attacker-chosen text. In AudioHijack against LALMs, the adversary aims at behavioral steering: prompt refusal, disinformation, phishing delivery, persona control, tool misuse, and related model-level misbehaviors. A plausible implication is that the security boundary has shifted upward from recognition integrity to agentic control integrity.
A second major attack surface concerns temporal and contextual independence. The related 2025 āAudioJailbreakā work shows that end-to-end LALMs can be attacked by suffixal jailbreak audios that do not need temporal alignment with user prompts and can be optimized for universality, stealthiness, and over-the-air robustness (Chen et al., 20 May 2025). AudioHijack tightens this further by removing prompt knowledge and requiring generalization across unseen user contexts.
3. Mechanisms of the AudioHijack framework
AudioHijack combines three technical components: sampling-based gradient estimation, attention-guided multi-context training, and convolutional perturbation blending (Chen et al., 16 Apr 2026).
The first component addresses heterogeneous LALM front ends. Some models use discrete audio tokens, some continuous features, and some hybrid schemes. AudioHijack therefore uses a sampling-based method to optimize through non-differentiable audio tokenization. The paper specifically replaces hard token selection and embedding lookup with differentiable probabilistic sampling based on a Gumbel-Softmax relaxation, enabling end-to-end optimization across discrete, continuous, and hybrid LALMs.
The second component addresses context agnosticism. Multi-context training is implemented as an expectation-over-transformations style objective over an auxiliary instruction set, so adversarial audio is trained to succeed across representative user contexts rather than a single prompt. Explicit attention supervision is then added to steer the modelās attention mass toward the adversarial audio. The paperās empirical observation is that successful attacks coincide with increased attention to adversarial audio, whereas failed attacks occur when the user context dominates. AudioHijack therefore optimizes both behavior and attention.
The third component addresses perceptual stealth. Rather than simple additive perturbations, AudioHijack divides the audio into short frames of about 0.2 s, convolves each frame with a learnable short kernel initialized from a room impulse response, tapers segments with a Hanning window of 0.02 s, recombines them by overlap-add at hop size 0.01 s, and finally applies RMS normalization to preserve loudness (Chen et al., 16 Apr 2026). The resulting perturbation is intended to resemble natural reverberation rather than obvious additive noise.
This design differentiates AudioHijack from earlier attack lines. The ASR-focused ADAGIO system used a targeted iterative attack with 100 iterations against DeepSpeech and then applied AMR encoding or MP3 compression as preprocessing defenses (Das et al., 2018). Replay-attack work on smart speakers modeled the mic-speaker-mic chain as a source of higher-order nonlinear distortion and detected it with higher-order spectral analysis (HOSA) rather than by optimizing an adversarial perturbation (Malik et al., 2019). AudioHijack inherits the emphasis on physical plausibility and imperceptibility but shifts the optimization target from transcription or replay acceptance to LALM behavior control.
4. Empirical evaluation and real-world transfer
AudioHijack is evaluated on 13 state-of-the-art LALMs spanning discrete, continuous, and hybrid integration schemes, and across 6 misbehavior categories: auditory blindness, prompt refusal, disinformation, phishing delivery, persona control, and tool misuse (Chen et al., 16 Apr 2026). The benchmarks are AirBench and VoiceBench, with 600 sampled audio-text pairs from AirBench-chat and 200 real human voice samples from VoiceBench-wildvoice.
For non-tool misbehaviors, the paper reports PISR and BMSR. Across the 13 models, average non-tool-use PISR is 0.89ā0.95 and BMSR is 0.84ā0.94, with the paper emphasizing 79%ā96% average success rates on unseen user contexts. Tool misuse is also effective on Ultravox-v5, Phi-4-Multimodal, and Voxtral-Mini, with average PISR 0.90ā0.96 and BMSR 0.79ā0.96.
Stealth is quantified by SNR and MCD, and for speech carriers also STOI and PESQ. On speech carriers, the convolutional method reaches SNR 29.27 dB, MCD 4.16, PESQ 3.16, and STOI 0.92. For sound and music, SNR is above 28.6 dB and MCD below 4.2 (Chen et al., 16 Apr 2026). The paper explicitly contrasts these reverberation-like perturbations with the noisier spectra produced by additive attacks.
The framework is also shown to transfer to commercial voice systems. The paper attacks Phi-4-Multimodal-instruct from Microsoft Azure and Voxtral-Mini-latest and Voxtral-Small-latest from Mistral AI. Reported BMSR ranges are 0.53ā0.98 for Phi-4-Multimodal-instruct and 0.52ā0.97 for Voxtral-Mini-latest; for Voxtral-Small-latest, BMSR exceeds 0.37 for all misbehaviors except phishing delivery (Chen et al., 16 Apr 2026). The reported behaviors include unauthorized search queries, malicious file downloads, and email-based exfiltration.
These results extend earlier demonstrations of audio-mediated control. Replay-based work had already shown that āOK, Google, Turn on Office Lampā could be injected into a Google Home device through Amazon Alexaās Drop-In Audio conferencing feature (Malik et al., 2019). AudioHijack generalizes that logic from replayable commands to indirect multimodal prompt injection with agentic tool use.
5. Detection, mitigation, and defensive architectures
The defense landscape is fragmented because the underlying threats differ. Against the specific AudioHijack framework, simple prompt- and response-level mitigations are weak. An in-context warning reduces BMSR by less than 0.07 in most cases. A self-reflection detector yields FPR 0.04 and TPR 0.28. A logits-divergence detector adapted from UniGuardian reports AUC 0.71ā0.85 with EER 0.21ā0.36. WaveGuard-style signal distortions perform poorly, with AUCs below 0.6. The strongest reported defense is attention-deviation detection using
followed by PCA and a linear SVM, achieving precision 0.98 and recall 0.93 in the non-adaptive setting; however, an adaptive attacker can reduce the attention-steering parameter 0 from 0.015 to 0.01, lowering detectability with only modest attack degradation (Chen et al., 16 Apr 2026).
Earlier domains exhibit different defensive patterns. In adversarial ASR, ADAGIO reports that AMR and MP3 preprocessing reduce targeted attack success from 92.45% to 0.00% on DeepSpeech, though WER does not fully return to the clean baseline (Das et al., 2018). In replay defense, HOSA-based detection uses bicoherence, quadratic phase coupling, and Hinich Gaussianity and linearity tests to distinguish original from replayed speech (Malik et al., 2019).
At the system level, AuDroid models audio as an information-flow problem rather than only an access-control problem. It inserts hooks at AudioSystem::startInput(), AudioSystem::stopInput(), AudioSystem::startOutput(), and AudioSystem::stopOutput(), classifies parties in a secrecy/integrity lattice, and reports prevention of six attack scenarios while allowing 17 widely used apps/services to run effectively with low measured overhead (Petracca et al., 2016). In smart-home settings, LeakyPick detects sound-triggered cloud audio uploads using audio probes plus network traffic analysis, with TPR 94% and FPR 6% in controlled statistical probing, TPR 93% and FPR 7% in a 52-day residential deployment, and a finding that an Amazon Echo Dot misinterpreted 89 different words as its wake word (Mitev et al., 2020).
These results suggest that there is no single āaudio hijack defense.ā Effective mitigation depends on whether the operative threat is adversarial perturbation, replay distortion, covert channel creation, cloud exfiltration, or post hoc authenticity failure.
6. Historical lineage and adjacent research areas
The modern AudioHijack framework sits within a longer lineage of audio-security research. One early line concerns ASR output hijacking. ADAGIO formalized targeted adversarial audio against DeepSpeech, used the Mozilla Common Voice dataset, generated 500 adversarial audio samples from the first 100 test samples, and treated the attack as successful only when the target transcription had no error (Das et al., 2018). In that setting, the āhijackā is the forced transcription itself.
A second line concerns hardware and operating-system audio hijacking. āSPEAKE(a)Rā showed that malware can covertly retask a headphone jack into a microphone input by exploiting jack retasking on susceptible codecs such as widely deployed Realtek HDA devices, thereby turning headphones or some passive loudspeakers into eavesdropping sensors even when no microphone is present, or when a microphone is muted, taped over, or turned off (Guri et al., 2016). AuDroid then addressed mobile audio channels by enforcing lattice-based mediation over dynamically created speakerāmicrophone and external-party channels (Petracca et al., 2016).
A third line concerns replay and voice-interface impersonation. Replay attacks on Google Home and Amazon Echo were modeled as mic-speaker-mic nonlinear chains and detected with higher-order spectral analysis rather than with end-to-end learning (Malik et al., 2019). This line remains conceptually close to AudioHijack because it weaponizes apparently legitimate audio as a control input.
A fourth line concerns authenticity, provenance, and after-the-fact verification. A distributed-ledger architecture for IoAuT stores audio in IPFS, metadata and references on a blockchain, and an acoustic fingerprint recSignature for originality verification; in the proof-of-concept, fingerprint signatures changed under trimming, gain changes, time shifts, and pitch shifts, which the authors interpret as robust forge detection (Chenna et al., 2021). This is not a live hijack defense, but it addresses trust failure after distribution.
A fifth line concerns adjacent manipulation technologies that are not themselves AudioHijack attacks but delimit the field. The 2013 audio CAPTCHA distinguishes human speech from synthetic speech using short-term energy, short-term average amplitude, and short-term zero-crossing rate, with selected parameters 1, 2, 3, and 4, reporting approximately 97% human success and a 4% pass rate for Microsoft SDK 5.1 synthesis (Gao et al., 2013). Acoustic device fingerprinting used 14 kHz to 21 kHz tones with 100 Hz spacing to extract a 71-dimensional speaker-response fingerprint and claimed about 40 bits of entropy as a cookie replacement mechanism (Zhou et al., 2014). āHexEā proposed a Sudoku- and timestamp-based XOR transformation for WAV payloads without modifying the file header, optionally with IPFS storage (A, 2024). āAUDITā addressed benign instruction-guided audio editing with a supervised latent diffusion model trained on triplets of instruction, input audio, and output audio (Wang et al., 2023). These works concern spoofing resistance, tracking, encryption, and editing rather than LALM hijacking, but they define adjacent technical terrain in which audio becomes a programmable security object.
Taken together, the literature shows that AudioHijack is not a single exploit but a research domain spanning adversarial ML, multimodal alignment, OS mediation, acoustic forensics, and agent security. The 2026 AudioHijack framework crystallizes that domain around LALMs by showing that audio alone can function as an indirect prompt-injection vector with high success, high stealth, and real-world transfer to deployed voice agents (Chen et al., 16 Apr 2026).