A new category of cyberattack that bypasses traditional defenses has been uncovered by cybersecurity researchers at Trail of Bits. Malicious prompts are secretly embedded inside images processed by AI chatbots. The threat affects widely used platforms like Google’s Gemini CLI, Vertex AI Studio, and Google Assistant, raising alarms for both developers and users of multimodal AI.
This new form of “prompt injection” exploits how AI systems downscale images for processing. The malicious prompts are invisible but become legible to the AI when the image is resized. This causes the system to unintentionally execute unauthorized commands.
How the Invisible AI Chatbot Malware Works
The attack relies on image interpolation, a standard function in many AI platforms. Attackers embed hidden prompts, such as commands to extract sensitive data, within an image file. When a user uploads this image, the AI platform downscales it.
The downscaling process, using methods like bicubic interpolation, reveals the embedded instructions as readable text to the AI. The AI interprets these as legitimate commands and executes them, potentially taking data like Google Calendar entries.
To demonstrate the vulnerability, Trail of Bits created an open-source tool called “Anamorpher,” which crafts images with these hidden triggers.
Growing Risk for Multimodal AI
The research points to a significant threat as AI systems become more integrated into daily life, especially those that process multiple forms of input, like images and text. The attack is hidden within an image, it can evade traditional security tools like firewalls and anti-malware software that are not designed to detect such threats within image files.
Many users and AI systems trust visual data. This vulnerability exploits that trust, weaponizing everyday inputs and giving malicious commands access to personal calendars, smart devices, and private text conversations. As multimodal AI is adopted in everything from enterprise workflows to personal assistants, the opportunity for this type of malicious input grows.
How to Stay Safe From AI Chatbot Malware
While developers must implement fundamental security changes, users can take immediate steps to reduce risk:
- Be cautious with image sources: Do not upload images from untrusted or unverified sources to AI systems.
- Review permissions: Be aware of the data and device permissions you grant to AI platforms. Regularly audit and restrict these permissions, especially for critical data like calendars, messages, or network access.
- Confirm critical tasks: Enable explicit user confirmation for any sensitive or critical tasks initiated through an AI, especially if it involves visual or text input.
- Practice general cyber hygiene: This includes using strong passwords and multi-factor authentication, keeping software updated, and securing your network with a VPN.
As the capabilities of multimodal AI expand, proactive security measures and a healthy skepticism of even the most innocuous-seeming digital content will become vital for all users.