Check Point Research Reveals AI-Driven Browser Ransomware Technique with Zero Installation Required

Published:

spot_img

Check Point Research Reveals AI-Driven Browser Ransomware Technique with Zero Installation Required

Recent findings from Check Point Research have unveiled a significant development in the realm of AI-assisted cyber threats. Researchers discovered a malware sample where an AI model autonomously linked a theoretical browser vulnerability to an operational ransomware technique. Notably, this method requires no exploit, no application installation, and no technical expertise from the attacker.

A Noisy Sample With One Dangerous Idea

In their analysis of nearly 3,000 files attributed to DeepSeek, researchers identified a Python Flask application that initially appeared to be a classic example of AI hallucination. The application attempted to integrate a keylogger, credential stealer, webcam capture, and a ransomware overlay into a single web page—most of which standard browsers would not permit. Despite the model’s numerous inaccuracies, it successfully identified a critical element.

The generated code invoked showDirectoryPicker(), a legitimate browser API that allows a web page to request access to a folder on the user’s device. This API can read, modify, and transmit files to a remote server, all initiated by a simple permission prompt.

The individual who prompted this action likely had no awareness of the API’s existence. They articulated a broad malicious intent, prompting the model to search its database of real browser functionalities for a suitable match. This process—AI reasoning through existing platform knowledge to reveal a novel attack vector—underscores the significance of this discovery.

Why DeepSeek Is Part of This Story

Prominent AI vendors have prioritized cybersecurity as a key area of focus. Requests related to ransomware behavior, credential theft, or malware deployment are routinely denied by leading models from companies like Anthropic and OpenAI. In contrast, DeepSeek offers less consistency. It is freely accessible and, in testing, a single broad prompt generated a complete malicious application that would have required multiple requests to assemble using other models. This lower barrier to entry makes it particularly appealing to threat actors with limited technical skills.

The Android Risk Is Real

To validate this technique, researchers created a controlled proof of concept: a fake AI photo-enhancement tool utilizing the File System Access API to encrypt images in a chosen directory. The workflow appears deceptively straightforward. A user selects a photo, chooses a folder for the enhanced results, and approves a browser prompt that seems routine. During the processing phase, their images are encrypted—without any binary download or application installation. The entire attack occurs within the browser.

This poses a heightened concern on Android devices. Chrome 132 introduced full File System Access support on Android, and subsequent testing on Chrome 148 confirmed that web pages can request access to the DCIM photo directory. This directory typically contains years of personal photos, scanned documents, banking screenshots, and recovery codes. The loss or exfiltration of such sensitive data could lead to personal or business issues, including ransomware, blackmail, or public disclosure, resulting in reputational damage. Notably, this technique does not apply to iOS, as Safari does not expose the same API.

What You Can Do

It is crucial to scrutinize browser folder-access prompts. Before clicking “Allow,” users should consider which site is requesting access, the folder being selected, and whether write access is genuinely necessary for the intended action. Avoid granting websites access to primary photo libraries or any directories containing sensitive or irreplaceable files. For unfamiliar tools, selecting an empty folder is advisable, and maintaining regular backups ensures that encrypted files are not the sole copies.

For enhanced protection against phishing-style pages that facilitate such attacks, Check Point’s Threat Cloud Anti-Phishing service identifies and blocks malicious sites before users encounter suspicious permission prompts. Since the success of the attack relies on luring users to a convincing fake page, disrupting this delivery mechanism serves as the most effective defense available today.

The Broader Shift

As of the time of publication, there is no evidence that this technique is currently being employed in active campaigns. The decision to publish these findings stems from the low barrier to operationalizing this method.

This research highlights a significant shift in how novel attacks can emerge. Traditionally, discovering a new attack vector necessitated domain expertise and creative human thought. However, AI alters this landscape. A non-expert can articulate a malicious outcome in straightforward language and receive a prototype that connects that goal to a genuine platform capability they may not have previously known existed. The expertise required to identify these attack paths is no longer the bottleneck, necessitating that defenders adapt their strategies accordingly.

Source: securitymea.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.

spot_img

Related articles

Recent articles

ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware, and 14 Additional Security Breaches

ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware, and 14 Additional Security Breaches In the ever-evolving landscape of cybersecurity, recent developments highlight a troubling...

Alleged Scattered Spider Member Extradited to U.S. After Arrest in Finland for Cybercrime Charges

Alleged Scattered Spider Member Extradited to U.S. After Arrest in Finland for Cybercrime Charges An alleged member of the Scattered Spider cybercrime group has been...

Identity Security Strengthens OT Resilience Against Emerging Cyber Threats

Identity Security Strengthens OT Resilience Against Emerging Cyber Threats In an era where cyber threats are increasingly sophisticated, identity security has emerged as a critical...

UAE’s Khalifa Fund Launches National Program to Strengthen Cybersecurity Startups

UAE's Khalifa Fund Launches National Program to Strengthen Cybersecurity Startups The Khalifa Fund for Enterprise Development (KFED) has unveiled a specialized national initiative aimed at...