In one sentence: SafeW (and SafeX, its renamed successor) was bundled with a purpose-built information-stealing malware. It hides inside apps that look perfectly normal, requests photo-library permission, and then silently runs OCR on your screenshots one by one in the background, specifically hunting for cryptocurrency wallet recovery phrases and private keys before uploading them to the attackers.
You may see the name "SparkCat" in other coverage — it refers to exactly this malware bundled inside SafeW / SafeX, not a separate product. For readability, we simply call it "the malware" throughout this page.
How it differs from ordinary viruses
Many people still picture mobile trojans as things that "pop up ads" or "drain your phone credit." What makes this malware dangerous is how restrained and precise it is: most of the time there is almost no noticeable sign of anything wrong. It quietly does just one thing in the background — read the images in your photo library as text and pick out the few most valuable lines.
What it targets is the single most fatal weakness in the crypto world: once a recovery phrase (seed phrase) leaks, your wallet is effectively handed over, and transfers on the blockchain cannot be reversed or stopped. That turns the screenshot of a recovery phrase you took "just to back it up" into a target worth a fortune.
It requests photo-library permission and uses OCR (optical character recognition) to analyze the images in your photo library; once it matches keywords such as crypto wallet recovery phrases, it uploads the relevant images to the attackers.
— Based on Kaspersky's technical analysis of this malware
Attack Chain Breakdown
Four steps, from one permission grant to a drained wallet
Hide inside a normal app
It buries its malicious module inside seemingly normal chat, food-delivery, or productivity apps — and even slips into official app stores.
Read text in your photo library
Once it has photo-library permission, it recognizes the text inside your screenshots one by one in the background — that is, OCR.
Match keywords
Using keyword rules, it filters out high-value text such as recovery phrases (seed phrases), private keys, and passwords.
Exfiltrate the matching images
It uploads the matching screenshots to the attackers' server, and your wallet assets can be drained at any moment.
Why it is especially dangerous
1. It showed up in the "official app stores"
According to Kaspersky's report, the affected apps appeared on both the App Store and Google Play at the same time. That shatters the reflexive assumption that "anything downloaded from an official store must be safe" — review processes can be bypassed, and download counts and ratings can manufacture a convincing illusion of trust.
2. It spans both iOS and Android
Whether you use an iPhone or Android, you are not "naturally immune." SafeW had named versions on both platforms.
3. It deliberately targets assets you can never recover
What gets stolen is cryptocurrency — no customer support, no bank fraud controls, no undo button. Once a recovery phrase leaks and the assets are moved out, there is almost no chance of getting them back.
4. It keeps coming back
The most telling part is how it reacted after being exposed: once SafeW was caught and delisted, the developer did not fix it — instead they renamed the software to SafeX and re-listed it on Google Play. The result: in April 2026, Kaspersky again found that SafeX still contained the malware, and Google Play removed it once more. Same problem, untouched, just under a new name.
Bottom line: if you have ever saved a wallet recovery phrase, private key, or password as a screenshot in your photo library and installed SafeW or SafeX, you should assume that information may already have been read.
SafeW, SafeX, and the malware — how the three relate
Here are all three names spelled out at once, so nothing gets confused:
SafeW: the original name of that chat / cloud-office app.
SafeX: the new name used after SafeW was delisted and re-skinned — same developer, same problem.
The malware: the information-stealing code hidden inside them; the security industry named it SparkCat.
For the specific app package names, the details of the SafeX rename, and links to the original reports, head to the Evidence & Sources.
How everyday users can protect themselves
Never store recovery phrases, private keys, passwords, or 2FA backup codes as screenshots in your photo library. This is the single most effective rule.
Be cautious about granting photo-library permission, especially to apps of unknown origin that nonetheless claim to be "very safe."
Download apps from trusted sources, but don't blindly trust that "official store = absolutely safe."
Use a hardware wallet for crypto assets whenever possible, and write down your recovery phrase offline by hand and keep it secure.
Scan with security software regularly, and pay attention to whether the permissions an app requests are reasonable.
If you have already installed SafeW or SafeX, go straight to the What To Do If Installed guide.