LIVE FEED
FIRST LOOK First Look: OpenAI GPT-5.6 Released Under White House-Directed Controlled Access Program // FIRST LOOK First Look: GitHub Copilot Agentic Harness Evaluated Across Models and Tasks // FIRST LOOK First Look: Anthropic Tests Mobile Remote Control for Claude Cowork Agentic Desktop Tasks // HIGH Malware Embeds Policy-Triggering Text to Evade LLM-Based Security Scanners // FIRST LOOK First Look: OpenAI Launches Jalapeño Custom Inference Chip Built with Broadcom // FIRST LOOK First Look: Google DeepMind Publishes Six-Category Taxonomy of AI Agent Traps // FIRST LOOK First Look: Agentic AI SOC Systems Ship Autonomous Decision-Making at Machine Speed // FIRST LOOK First Look: MoEngage Acquires Aampe to Deploy Millions of Autonomous AI Marketing Agents // FIRST LOOK First Look: Dragos Launches EmberAI, an OT-Specific AI Security Intelligence Platform // FIRST LOOK First Look: Mistral AI Ships OCR 4 with Structured Document Extraction for RAG Pipelines //
FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching First Look Agentic AI LLM Security Prompt Injection RELEVANCE ▲ 7.2

First Look: Anthropic Tests Mobile Remote Control for Claude Cowork Agentic Desktop Tasks

SOURCE BleepingComputer ↗
ATTACK SURFACE BRIEF HIGH ↗ MODERATE
  • What shipped: Anthropic is testing a mobile interface for Claude Cowork, letting phones remotely control a background-running desktop AI agent with local file access.
  • Who's now exposed: Enterprise users and knowledge workers running Claude Cowork on corporate endpoints, whose mobile devices now serve as a remote attack vector into desktop AI agents.
  • Assess now: Inventory all endpoints running Claude Cowork and classify them as hosting persistent agentic processes requiring EDR monitoring · Enforce MFA and session-binding controls on Claude mobile app authentication to prevent cross-device session hijacking · Define and enforce data-access policies governing which file paths Cowork agents are permitted to read, write, or enumerate
First Look: Anthropic Tests Mobile Remote Control for Claude Cowork Agentic Desktop Tasks

Capability Overview

Anthropic is preparing to extend Claude Cowork — its desktop-resident agentic mode for general knowledge work — to mobile devices. Rather than running agent logic on the phone, the mobile app functions as a remote control: users initiate, steer, and monitor tasks from their smartphone while the actual execution (file access, document generation, storage enumeration, background processing) occurs on the linked desktop or laptop. Critically, Anthropic confirms that work continues in the background even when the mobile app is closed.

For defenders, this architecture shift matters for one core reason: it decouples the control plane (mobile device) from the execution plane (desktop endpoint), and each plane carries distinct, independent security postures — and failure modes.

Attack Surface Analysis

Persistent background agent on the endpoint. Cowork tasks continue running after the user disengages. This creates a long-lived process on the endpoint with filesystem access that security teams must now account for in EDR rules, process monitoring, and data loss prevention policies. An agent that outlives the user’s active session is harder to contain.

Mobile device as a command-and-control vector. If an attacker compromises the mobile device — via malware, SIM-swap, session token theft, or malicious app — they may inherit the ability to issue task instructions to the desktop agent. This is functionally equivalent to remote code execution on the desktop scoped to whatever files and actions Cowork is permitted to perform.

Cross-device session hijacking. The synchronisation mechanism between the mobile app and desktop agent almost certainly relies on authenticated API sessions. Stolen or forged session tokens on either side could allow an adversary to inject new tasks, redirect in-progress work, or exfiltrate outputs.

Prompt injection via task instructions. If a user instructs Cowork to process attacker-controlled content (an email, a document, a web page) and the mobile interface is used to initiate that task, adversarial instructions embedded in that content could redirect the agent’s file operations, trigger sensitive data reads, or exfiltrate outputs to attacker-controlled locations.

Expanded social engineering surface. Mobile users are more susceptible to phishing and callback attacks than desktop users with corporate controls in place. Targeting a user’s mobile to initiate a malicious Cowork task on their corporate endpoint is a plausible, low-friction attack chain.

Framework Mapping

  • AML.T0051 (LLM Prompt Injection): Task instructions submitted via the mobile interface — or content processed by the agent — could carry injected directives.
  • AML.T0057 (LLM Data Leakage): The agent’s local file enumeration capability, accessible remotely, makes it a viable exfiltration tool if compromised.
  • AML.T0012 (Valid Accounts): Legitimate user credentials on the mobile app are the primary access mechanism; account takeover directly enables agent misuse.
  • LLM08 (Excessive Agency): Background execution with filesystem access and no active user oversight is a textbook excessive-agency configuration.
  • LLM01 (Prompt Injection): The agentic task pipeline processes user-supplied and potentially external content with privileged local access.

Threat Scenarios

Scenario 1 — Mobile compromise to desktop exfiltration: An attacker delivers infostealer malware to a target’s Android device, harvests the Claude session token, and uses the Cowork mobile interface to instruct the desktop agent to locate, compress, and upload sensitive documents to an attacker-controlled endpoint.

Scenario 2 — Prompt injection via processed document: A target is socially engineered into having Cowork summarise a malicious PDF. The PDF contains injected instructions directing the agent to enumerate and exfiltrate additional files from the desktop, with results delivered via a legitimate-looking Cowork output.

Scenario 3 — Insider abuse via mobile: A malicious insider initiates after-hours Cowork tasks from their personal phone, leveraging the background execution feature to conduct data staging while avoiding the scrutiny associated with active desktop sessions.

Defender Checklist

  • Identify all endpoints with Claude Desktop and Cowork installed; treat them as hosting persistent agentic processes
  • Apply EDR rules to monitor Claude Cowork process activity, particularly file enumeration and outbound network calls
  • Enforce MFA on Claude accounts with session-binding to prevent mobile token theft from enabling desktop agent access
  • Define explicit file-access scoping policies — restrict which directories Cowork agents may access on corporate endpoints
  • Add Claude Cowork to your mobile device management (MDM) risk assessment if employees use personal phones
  • Monitor for anomalous after-hours Cowork task execution, especially file reads outside normal working patterns
  • Include Cowork in DLP scope — outputs (documents, spreadsheets, reports) generated by the agent should be treated as potentially sensitive

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.