Plain-English explainer

Is the SparkCat in SafeW a trojan or a virus? Can it steal your crypto?

In short: it's an information-stealing trojan that quietly scans your photo library for crypto wallet recovery phrases, then drains your wallet. Call it a trojan or a virus if you like — to you, it's simply a piece of malware that steals your money.

Trojan, or virus?

People use "virus" and "trojan" interchangeably, but there's a difference: a virus self-replicates and spreads on its own; a trojan disguises itself as a normal app to trick you into installing it, then quietly does damage in the background. The malware inside SafeW (the security industry calls it SparkCat) is a trojan — more precisely, an information-stealing trojan / spyware.

But honestly, for an ordinary user, arguing over the label is pointless: it's a piece of malware hiding inside a "secure chat app," built to steal from your wallet. That's what matters.

Can it steal your crypto? Yes — and the kind you can't get back

Yes. Here's how it works:

  • It ships inside a normal-looking app like SafeW and requests access to your photo library;
  • In the background, it uses OCR to scan your screenshots one by one;
  • It specifically hunts for wallet recovery phrases, private keys, and passwords, and uploads any it finds;
  • With your recovery phrase, attackers can drain your entire wallet — USDT and everything else — at once.
The most dangerous part of crypto: transfers are irreversible — no customer service, no bank fraud team, no way to cancel. Once your funds are stolen, they're almost impossible to recover.

Where is it hiding, and why didn't I notice?

It hides inside SafeW (and SafeX, the name it was relisted under after being delisted) — a chat app marketed on "secure communication / cloud office" that even appeared in the official Apple and Google app stores at one point. Day to day it shows almost no visible symptoms; it just quietly scans your photo library in the background, which is exactly why it's so hard to spot.

This isn't a baseless accusation: the global security firm Kaspersky named it in a 2025 report, and The Hacker News named it again in 2026. After Google Play removed it, the developer simply renamed it (SafeX) and re-listed it — same problem, new name.

Beyond crypto, what else does it take?

Once malware has your photos and permissions, it can see far more than your wallet: passwords, verification codes, bank and ID details in your screenshots, and your private chats, group chats, and social graph — all of it can be harvested and monetized. In short: crypto has a price; your data is priceless.

Want the hard evidence? The named package IDs, the SafeX rename, and the original Kaspersky and The Hacker News reports are all in the evidence dossier, verifiable line by line. For a technical breakdown of how it works, see the malware explainer.

I think I'm affected — what do I do?

If you installed SafeW or SafeX and ever stored a wallet recovery phrase, private key, or password as a screenshot in your photo library, treat it as already exposed: revoke its permissions immediately, uninstall it, and move your crypto to a brand-new wallet as fast as you can. Full steps are in the self-help guide.

← Back

Is SafeW safe?

The verdict, the evidence, and the timeline.

 Evidence

Named package IDs & sources

The original Kaspersky and The Hacker News reports, verifiable.

 Emergency steps

What to do now

Revoke permissions, uninstall, move your assets.