AI‑powered smartphone: the next challenge for cybersecurity?

Researchers from DARKNAVY analyzed the security of one of the first smartphones with the Doubao Assistant AI agent deeply integrated into the OS. The report highlights several threats linked to such assistants:

♦️ Abuse of the AI agent's system privileges. To automate actions (such as such as clicks, screen reading, and app installation), the agent operates with elevated system privileges. If authentication mechanisms are weak, these rights could pose serious risks to data confidentiality and system integrity if exploited by an attacker.

♦️ Unintended exposure of data to cloud via screenshots. In some scenarios, the AI agent takes a screenshot, compresses it, and uploads it to a cloud server for analysis. While the OS allows blocking screenshots in sensitive apps, not all developers implement this feature, so sensitive data may still appear in images sent to the cloud.

♦️ GUI‑based TOCTOU (race condition) attacks. There's a time gap between the AI agent's decision to perform an action and the actual click. The AI simulates taps as if from a user; if the interface changes in that short window, the agent may press a different button. This can trigger unintended actions without the user's knowledge.

♦️ Prompt Injection through the GUI. Text or images displayed on screen can be interpreted by the model as instructions and influence its decisions. Without filtering screenshot content, an attacker could inject malicious prompts, extract system prompt, or trigger data exfiltration as part of a more complex attack.

The AI agent includes built‑in safeguards intended to reduce the risk of these exploits. However, media report that some apps already flag its behavior as suspicious — triggering CAPTCHA challenges or forced logouts. As a result, several critical services, including WeChat, have restricted its use.

Super agents are emerging as a key trend in AI development: projects like OpenClaw and Doubao Assistant give models increasing autonomy and the ability to operate across applications and contexts. Yet security mechanisms lag behind their expanding capabilities. Many attacks still rely on a relatively simple prompt injection — a low‑barrier technique for which no systemic mitigation exists. Building cybersecurity frameworks for AI agents must therefore progress in parallel with their functional growth.

💬 Discuss