SECURITY ALERT

SafeW — is it safe?

Verdict: High Risk · do not install

SafeW is a chat app marketed on "secure communication / cloud office." But it was caught by security firm Kaspersky bundling information-stealing malware that scans your phone's photo library in the background to steal crypto wallet recovery phrases and passwords. After being removed from the app stores, it was renamed SafeX and re-listed, only to be caught with the exact same behavior again.

See the evidence I installed it — what to do
Risk level
HIGH
Core problem
Bundled information-stealing malware
What it targets
Wallet recovery phrases · private keys · password screenshots
Sources
Kaspersky · The Hacker News
The short answer

Is SafeW safe — the short answer

SafeW is not safe. It is a high-risk app, and we do not recommend installing it. Security firm Kaspersky found that it bundles purpose-built information-stealing malware that scans screenshots in your photo library in the background, hunting for crypto wallet recovery phrases, private keys, and passwords, and uploads them to the attackers.

Even more alarming is how its developer responded: after the app was removed from the stores, instead of fixing the problem, the developer renamed it SafeX and re-listed it, only to be caught bundling the same malware again and removed from Google Play once more in April 2026. A chat app whose own credibility has already collapsed is not worth trusting with your messages, your files, and your photos.

The core facts · named by a security firm

This isn't "niche, so I'm wary" — it was publicly named by a security firm

What follows is not guesswork from users online, nor a case of mistaken identity over a shared name. These are the app identifiers — the "package name" of each app — that Kaspersky listed in its technical report as confirmed to be malicious. Anyone can verify them against the original report.

Kaspersky report: apps confirmed as malicious
Android org.safew.messenger
Android org.safew.messenger.store
iOS com.safew.messenger

A report from a professional security firm

Kaspersky is a globally recognized security vendor. In its February 2025 technical report, it listed the SafeW apps above as confirmed to be malicious. This is an industry-grade assessment, not a forum rumor.

Both Android and iOS were hit

Named versions exist on both platforms, which shows this is not a single tampered install package on one channel, but deliberate behavior on the operator's part.

The desktop client is very likely the same

With both mobile store versions tampered with, there is good reason to suspect that SafeW deployed the same device-image-scanning malware on its other platforms — such as the Windows desktop client. The same operator has no reason to limit this to phones.

It was never fixed after delisting: After SafeW was removed from the app stores, the developer renamed it SafeX and re-listed it on Google Play; in April 2026, Kaspersky again found that SafeX bundled the same malware, and Google Play removed it once more.

For context: the security industry collectively named this malware found in SafeW / SafeX "SparkCat." When you see that name in other reports, it refers to this same class of wallet-stealing malicious code, not a different product.

See the full evidence and source links →

What it actually does

It doesn't steal your chats — it steals the "money" in your photo library

The malware bundled in SafeW is not an ordinary ad plugin, nor is it as simple as "collecting device information." According to Kaspersky's analysis, at its core is a theft chain aimed at crypto assets.

Request photo-library permission

Under a legitimate-sounding pretext like "sending images" or "backup," it asks for permission to read your phone's photo library.

Read the text in your screenshots

In the background it reads the text in your screenshots one by one (using OCR, optical character recognition).

Match sensitive information

It specifically hunts for high-value content like wallet recovery phrases (seed phrases), private keys, and passwords.

Upload the matching images

It packages the matching screenshots and uploads them to the attackers' server, and your assets could be drained at any moment.

If you've ever saved any of these as a screenshot in your photo library, the risk is amplified directly: wallet recovery phrases / seed phrases · private keys · two-factor (2FA) backup codes · password screenshots · ID photos · bank card details · important contracts and chat screenshots. Photo-library permission is never just about "looking at photos" — to malware like this, it's rifling through your safe.

Learn more about this malware →

The truth its marketing hides

An app that can scan your photo library — why wouldn't it read your chats?

On one hand, SafeW touts "strong encryption," "self-hosted (on-premise) deployment," and "even admins can't read it." On the other, it was caught by a security firm actively scanning users' photo libraries. Put those side by side, and the conclusion isn't complicated.

Falsely advertises “end-to-end encryption”

Real end-to-end encryption is open-source and audited by independent third parties; SafeW has never produced a single such audit, and its so-called “encryption” is just a front to fool users. Your private chats, group messages, and every image you send sit in plaintext on its servers — the operator can read them at will.

Anyone who rifles through your photos will read your chats too

An operator willing to plant malware on your device and rifle through your photo library has no reason to spare the chat content already sitting on its servers. Anyone who does the former will certainly do the latter.

Self-hosted deployment is just a false sense of security

Even if you self-host the server, what's installed on your phone is still SafeW's client with malicious code in it: the trojan scans your photo library locally and sends the data straight to the attackers — it never passes through your "private" server at all.

So the real issue is trust: We can trust Telegram because it is open and transparent; but why should a SafeW that plants malware on users' devices deserve to be trusted with every private message and every photo? Even SafeW's self-hosted server code has never undergone any independent security audit — and given its repeated record of being caught bundling malicious code, there is no reason to assume this part of the code is clean. It could easily contain a backdoor.
Public record timeline

It wasn't flagged just once

Laid out chronologically, the public reporting shows that SafeW's problems are not an isolated incident, but a record that runs into 2026 and ends with a rebrand and re-skin.

2024.03

Traceable start of the malware activity

Based on the timestamps of related files, Kaspersky infers that this malware's activity can be traced back to at least around March 2024.

2025.02

Kaspersky publishes its report, and SafeW is named

Kaspersky's technical report listed the Android and iOS versions of SafeW as confirmed to be malicious, and Apple's and Google's app stores subsequently removed the relevant apps. Source: Kaspersky

After delisting

Renamed "SafeX," re-listed

The developer did not fix the problem — instead it renamed the app SafeX and re-listed it on Google Play. In essence it is still the same app.

2026.04

SafeX is caught again, and delisted again

Kaspersky named it again: SafeX still bundled malware, and Google Play removed it once more; The Hacker News' reporting from the same period also still lists "SafeW — Cloud Office Assistant." Source: Kaspersky · The Hacker News

After being delisted again

Bypassing the stores, distributing the APK directly from its own site

After being removed from Google Play, SafeW stopped going through the store and instead began offering an installable Android APK file directly from its own website, bypassing the app store's security review — letting a developer that has already been caught with malware twice install an unvetted package straight onto your phone.

Who should be most wary

These groups face the highest risk

Crypto holders

People who keep screenshots of recovery phrases or private keys in their photo library are this malware's number-one target, and their assets could be drained directly.

Anyone who screenshots passwords

Once screenshots of passwords, verification codes, or 2FA backup codes are read, multiple accounts are exposed at once.

Anyone using it for work or business

A chat app that steals user information is being trusted with contracts, clients, and internal communications — and the cost of a leak goes far beyond the personal.

Emergency response

If you've already installed SafeW or SafeX

Especially if you've granted it photo / files / contacts permissions, we recommend following the steps below in order.

  1. Revoke permissions and uninstallNow

    First, in your system settings, turn off SafeW's (or SafeX's) photo, files, contacts, and location permissions, then uninstall the app.

  2. Check your photo library for sensitive screenshotsNow

    Check whether you've saved any screenshots of wallet recovery phrases, private keys, passwords, 2FA backup codes, ID photos, and the like.

  3. Treat your assets as "already compromised"

    If you've stored recovery phrases / private keys in your photo library: create a new wallet and move your assets as soon as possible. If you've stored passwords: change them one by one and enable stronger two-factor authentication.

  4. Run a full scan and device check

    On Android, scan with security software; on iPhone, check Settings → General → VPN & Device Management for any unknown configuration profiles.

See the full what-to-do guide

FAQ

More you might want to ask about SafeW's safety

Is SafeW actually safe?

Based on the public record, no — it's not safe, and it's high-risk. Security firm Kaspersky found that SafeW bundles information-stealing malware that scans your photo library to steal wallet recovery phrases and passwords; in 2026 it was named again by The Hacker News. For a product that markets itself on "secure communication," a track record like this is reason enough for ordinary users to steer clear.

What is the relationship between SafeW and SafeX?

They are the same app under a different name. After SafeW was caught and delisted, the developer renamed it SafeX and re-listed it, only to be caught bundling the same malware again and removed from Google Play once more in April 2026. The name changed, but the problem did not, so both SafeW and SafeX should be treated with caution.

What kind of app is SafeW?

It markets itself as a chat / cloud office app focused on encrypted communication and data security, appearing on the App Store under names like "SafeW — Cloud Office Assistant," with taglines such as "strong encryption," "leak-proof," and "even admins can't read it." But marketing taglines are not the same as security itself.

It was delisted — doesn't that mean it's fine now?

A store delisting only means one named version was removed; it doesn't prove the developer is trustworthy from then on. In fact, after SafeW was delisted it was promptly renamed SafeX and re-listed, then caught again. For a chat app with high security requirements, "was malicious before, and repeatedly reoffends" is itself a major mark against it.

Doesn't the "strong encryption" marketing prove it's safe?

No. Whether a chat app is safe depends on whether the client is trustworthy, whether it is open-source and auditable, whether it has had an independent security audit, whether it has had a malicious-code incident, and whether it transparently reviewed the fallout afterward. SafeW is closed-source and has a public record of being caught bundling malware — an encryption tagline is no substitute for any of that.

What are some more trustworthy alternatives?

This site doesn't make commercial recommendations, but the general principle is: prefer communication tools that are open-source, have undergone an independent security audit, have end-to-end encryption on by default, and have no history of malicious code — and download them from official channels. Whichever you use, never keep recovery phrases, private keys, or passwords as screenshots in your photo library.

References

Every conclusion traces back to a public source

This site only compiles public material. We encourage you to open the originals and verify for yourself.

Kaspersky

SparkCat stealer in App Store and Google Play (2025)

securelist.com/sparkcat-stealer-in-app-store-and-google-play/115385/

 THN

New SparkCat variant in iOS / Android (2026)

thehackernews.com/2026/04/new-sparkcat-variant-in-ios-android.html

 Kaspersky

Press release: a new SparkCat variant bypassing app store review discovered

kaspersky.com · about/press-releases

 MyCERT

SparkCat malware infiltrates Google Play and the App Store (official advisory)

CERT security advisory · mycert.org.my
Keep reading

Dive deeper into this dossier

01 / Threat analysis

The malware it bundled

Where this malware came from, how it works, and why it's especially dangerous.

 02 / Evidence file

Full evidence and sources

App package names, the SafeX rename, and links to the original reports — all verifiable line by line.

 03 / Debunked

"Reading the photo library is normal" is spin

A point-by-point rebuttal of the talking points that surfaced after SafeW was exposed, checked against the public evidence.

 04 / Emergency response

What to do if you installed SafeW

A complete checklist, from revoking permissions and uninstalling to moving your assets.

Pass this warning on to anyone who might be using SafeW

Especially people who hold crypto assets, or who tend to keep screenshots of passwords and recovery phrases on their phones. One heads-up could prevent an irreversible loss.

See the evidence file What-to-do guide