Existing backdoor attacks in semantic communication predominantly adopt a monomorphic, single-target paradigm, which struggles to meet the diversity and flexibility demands of heterogeneous downstream tasks. This work proposes SemBugger, a polymorphic semantic backdoor attack that introduces, for the first time, an intensity-graded trigger mechanism and a multi-effect poisoning training framework. By dynamically modulating trigger intensity, SemBugger enables fine-grained manipulation of shared semantic knowledge to produce diverse malicious outputs while preserving the fidelity of benign sample transmission. A complementary controllable-noise defense strategy is also devised, offering provable robustness. Experiments demonstrate that SemBugger achieves high attack success rates and strong system compatibility across various semantic communication models and benchmark datasets, and the proposed defense effectively neutralizes such attacks.

Semantic Communication (SC) backdoor attacks aim to utilize triggers to manipulate the system into producing predetermined outputs via backdoored shared knowledge. Current SC backdoors adopt monomorphic paradigms with single attack target, which suffers from limited attack diversity, efficiency, and flexibility in heterogeneous downstream scenarios. To overcome the limitations, we propose SemBugger, a polymorphic SC backdoor. By dynamically adjusting the trigger intensity, SemBugger finely-grained controls over the SC knowledge to generate diverse malicious results from the system. Specifically, SemBugger is realized through a multi-effect poisoning-training framework. It introduces graded-intensity triggers to poison training data and optimizes SC systems with hierarchical malicious loss. The trained system's knowledge dynamically adapts to trigger intensity in inputs to yield target outputs, all while preserving transmission fidelity for benign samples. Moreover, to augment SC security, we propose a provable robustness defense that resists SemBugger's homogeneous attacks through a controlled noise mechanism. It operates via strategically adding noise in SC inputs, and we formally provide a theoretical lower bound on the defense efficacy. Experiments across diverse SC models and benchmark datasets indicate that SemBugger attains high attack efficacy while maintaining the regular functionality of SC systems. Meanwhile, the designed defense effectively neutralizes SemBugger attacks.