This study is the first to systematically expose the severe vulnerability of Audio Large Language Models (ALLMs) to acoustic backdoor attacks. Addressing the lack of stealthy and robust acoustic triggers in prior work, we propose HIN—a novel framework that embeds low-perceptibility triggers into raw waveforms via temporal dynamic modulation and spectrum-customized noise, while leveraging feature encoding analysis and adversarial response detection to achieve high attack success rates. Experiments demonstrate >90% attack success under realistic perturbations including environmental noise and speech rate variation, with near-zero sensitivity to volume changes; poisoned samples induce only marginal fluctuations in training loss, confirming high stealthiness. Furthermore, we introduce AudioSafe—the first standardized benchmark for ALLM robustness evaluation—comprising nine categories of audio-specific security risks.

As Audio Large Language Models (ALLMs) emerge as powerful tools for speech processing, their safety implications demand urgent attention. While considerable research has explored textual and vision safety, audio's distinct characteristics present significant challenges. This paper first investigates: Is ALLM vulnerable to backdoor attacks exploiting acoustic triggers? In response to this issue, we introduce Hidden in the Noise (HIN), a novel backdoor attack framework designed to exploit subtle, audio-specific features. HIN applies acoustic modifications to raw audio waveforms, such as alterations to temporal dynamics and strategic injection of spectrally tailored noise. These changes introduce consistent patterns that an ALLM's acoustic feature encoder captures, embedding robust triggers within the audio stream. To evaluate ALLM robustness against audio-feature-based triggers, we develop the AudioSafe benchmark, assessing nine distinct risk types. Extensive experiments on AudioSafe and three established safety datasets reveal critical vulnerabilities in existing ALLMs: (I) audio features like environment noise and speech rate variations achieve over 90% average attack success rate. (II) ALLMs exhibit significant sensitivity differences across acoustic features, particularly showing minimal response to volume as a trigger, and (III) poisoned sample inclusion causes only marginal loss curve fluctuations, highlighting the attack's stealth.