Security Concerns: .plist file appears after a shared image is saved from iMessage

Yesterday my niece sent me two screenshots, they were of TikTok app screens announcing their shutdown and then their subsequent Trump inspired revival.

We both use iPhones so she shared the JPEG images with me via attachments in iMessage. I held my figure down on each image and chose 'Save' from the popup menu. A problem at this step, not sure where iMessage saved them, I was not presented with an option for choosing the location.

This is where things took a dark turn. As I searched for them in my iCould Drive folder I noticed in the Recents view a new file: 2025-01-20-13-22-358780.plist. The file's name includes a date & time plus a number, the date & time is the exact date & time that I attempted to save the files.

Further note, the file would appear in the Browse view of my iCloud Drive folder nor would it appear in a search of the iPhone and the iCloud Drive folder.

.plist files are typically associated with an app, to instruct its operations based on choices by the user and to an extent past usage conditions. In my experience they are not created by documents being saved, moved or duplicated.

The file easily opens as a text file, the content is a continuous block of text in simplified Chinese Mandarin, interspersed with icons and unidentifiable control characters. The later showing as squares with a '?' enclosed.

Copying the whole block is not possible, the control characters stop that but smaller blocks, chosen from in between the control characters,

"..."

A top sample translated by Google translate,

"The potassium ions of the ... It is difficult to make a living by doing this. The only thing you can do is to make a living by doing this. The green onion is the most beautiful thing in the world. The green onion is the most beautiful thing in the world. The green onion is the most beautiful thing in the world. The green onion is the most beautiful thing in the world."

I'm guessing that this is the Chinese version of a Lorem ipsum text placeholder. The green onion either being of particular cultural importance or simply, a hungry hacker with dinner on his or her mind.

I believe that was an attempt to install malware but I need some more information. There may be some things about the iPhone that I am unaware.

Having the TikTok app open on an iPhone, while the user uses the operating system to take a screenshot and the TikTok app attaching a .plist file is a bit arcane and a threat if that is what is taken place.

Anyone every heard of this or had any experience with something similar?

I am on an iPhone Pro 12 running iOS 18.2.1. Not sure what my niece was using, I can find out if that is revenant.

A screenshot of the open, top section the .plist file is attached.