Check Point traced a VirusTotal sample called InfernoGrabber v9.0 to a fake Discord avatar enhancer. Once a user grants folder access, the page can read, alter and exfiltrate files without dropping a local executable.
The Android version of Chrome 132 and later is the most exposed case, while iOS avoids the specific path because Safari does not implement the same API. Researchers said almost half of the DeepSeek-branded files they tracked were malicious or risky.
Sources: CocoLoop and Check Point Research and The Register and The Hacker News