An AI chatbot paired a made-up malware idea with a real browser feature and produced a working ransomware technique — no installation, no exploit, no coding skill required, according to a research blog by Check Point on Wednesday.
Researchers found the sample while reviewing nearly 3,000 files attributed to DeepSeek, the Chinese AI model, pulled from public telemetry. The Python-based application initially looked like a typical AI “hallucination”. The code tried to combine a keylogger, credential stealer, webcam capture and ransomware overlay into one webpage, most of which browsers don’t permit, according to a Check Point companion post.
Embedded in the code was a call to show DirectoryPicker, a legitimate Chrome API that lets a webpage request read-and-write access to a folder on a user’s device through a standard permission prompt. Check Point built a proof-of-concept — a fake AI photo-enhancement tool — that used the API to encrypt a user’s photo folder after they approved access, with no binary downloaded and no app installed.
The technique itself isn’t new. Academic researchers documented the same attack path in a 2023 USENIX Security paper, “RøB: Ransomware over Modern Web Browsers“, and the browser feature’s own technical specification lists ransomware as a known risk category its authors accepted when designing the API.
What Check Point found is an AI model’s ability to reach a working version of that same technique on its own, from a vague or malicious prompt, without a researcher steering it there.
To be clear, this isn’t a bug in Chrome. The File System Access API works exactly as designed. A site can only touch a folder after a user clicks through a picker dialog and grants access. That permission model is the safeguard. However, the research shows a convincing lure can talk someone into clicking “Allow” the same way phishing talks people into clicking a link.
The attack plays out when a victim visits a spoofed site and grants the site folder access through the browser’s normal picker dialog. Next the page’s JavaScript encrypts files in that folder in place — no download, no install. What varies is the damage. If the granted folder syncs to cloud storage without version history, there’s no automatic undo: the 2023 academic paper found Apple iCloud and Box don’t retain older file versions, while Dropbox, Google Drive and OneDrive do.
Separately, the technique tends to evade antivirus and EDR tools regardless of target, because the process doing the writing is just the browser — the same 2023 research tested real antivirus products against it and found they consistently missed it.
Check Point said it found no evidence of the technique in live attacks and published the research because the barrier to deploying it is low. Major AI vendors including Anthropic and OpenAI consistently refuse ransomware- and malware-related prompts, while DeepSeek was “less consistent,” the firm said.
The underlying technique isn’t Android-specific — it relies on a browser API that’s existed in desktop Chrome for years. But the risk is sharper on Android, where Chrome only extended that API’s reach to the device’s DCIM photo directory starting with version 132, concentrating a phone’s entire photo history in one predictable, API-accessible folder. Check Point said testing on the current release, Chrome 148, confirmed the access still works.
Apple’s Safari doesn’t expose the same API, so the technique doesn’t extend to iOS.
Users are advised to scrutinize browser folder-access prompts, avoid connecting unfamiliar sites to a photo library or sensitive directory, and keep independent backups.
Check Point’s finding lands alongside a broader 2026 pattern of AI systems surfacing attack paths that don’t require deep technical expertise — echoing Wiz’s autonomous agent independently exploiting an airline’s authorization flaw in June.
The common thread isn’t a novel vulnerability class; it’s AI collapsing the distance between a plainly stated malicious goal and a working exploit, shifting the bottleneck for attackers from expertise to access.