Evidence Dossier

SafeW / SafeX Evidence Dossier

This page gathers, in one place, the facts you can verify publicly: the apps named, how it was renamed SafeX, the original sources, and the timeline. You don't have to take our word for it — open the originals and check for yourself.

Evidence 1 · The apps named

The SafeW versions Kaspersky's report confirmed as malicious

The string below is the app's "package name" — think of it as each app's unique identifier. These appear in Kaspersky's 2025 report on the list of apps confirmed as malicious. Use the button on the right to copy the exact value so you can search for it and compare against the original report.

Kaspersky report: apps confirmed as malicious
Android org.safew.messenger
Android org.safew.messenger.store
iOS com.safew.messenger
How to verify: open the Kaspersky report under "Evidence 4" below, search the page for safew, and you'll find the entries above on the list of apps confirmed as malicious.
Evidence 2 · Renamed and reskinned

Delisted, then renamed "SafeX" — with the problem left untouched

What's most telling isn't that it was caught carrying malware — it's how it responded after being caught:

  • After SafeW was found to be bundling malware, it was removed from Google Play;
  • The developer issued no public fix and no explanation — instead, they renamed the software SafeX and re-listed it on Google Play;
  • In April 2026, Kaspersky named it again: SafeX was still bundling malware;
  • On that basis, Google Play removed it once more;
  • Once it was delisted from the store, SafeW stopped going through Google Play and switched to distributing an installable Android APK directly from its own website, bypassing app-store security review — the same party that has now been caught carrying malware twice, handing an unvetted installer straight onto your phone.

Same developer, same data-stealing behavior — only the name changed. This pattern of "get caught, rename, and put it right back on the store" is itself damning: it shows the problem isn't one version's oversight, but that this product is fundamentally untrustworthy.

So: be wary when you see "SafeW," and just as wary when you see "SafeX" — they are two names for the same software.
Evidence 3 · Exposed again in 2026

In The Hacker News's reporting, "SafeW — Cloud Office Assistant" is still there

In April 2026, the well-known security outlet The Hacker News reported a new wave of the campaign, and the affected iOS apps it listed still included:

  • SafeW — Cloud Office Assistant
  • Wukong Waimai: Life Concierge for Chinese in Thailand

The report notes that this malware hides inside seemingly ordinary apps — business messengers, food delivery, and the like — and silently scans the photo library for crypto-wallet recovery phrases. This shows SafeW's problem did not end with that single incident in 2025.

Evidence 4 · Original sources

Where every conclusion comes from

Kaspersky

SparkCat stealer in App Store and Google Play (2025.02)

The list includes the named SafeW app package names · securelist.com/.../115385/

 THN

New SparkCat variant in iOS / Android (2026.04)

The new wave still names "SafeW — Cloud Office Assistant" · thehackernews.com

 Kaspersky

Press release: a new variant that bypasses store review discovered

Includes official security advice · kaspersky.com/about/press-releases

 MyCERT

SparkCat infiltrates Google Play and the App Store (2025)

CERT security advisory MA-1260.022025 · mycert.org.my
Evidence 5 · Timeline

The public record, in chronological order

2024.03

Earliest traceable start of the malware campaign

The start of the campaign as inferred by Kaspersky from the timestamps of related files.

2025.02

Kaspersky exposes SafeW for the first time

The report names the Android and iOS versions of SafeW; both major stores then removed the apps.

After delisting

Renamed SafeX and re-listed

The developer renamed the software SafeX and re-listed it on Google Play.

2026.04

SafeX caught again and delisted again

Kaspersky again named SafeX for bundling malware, and Google Play removed it once more; The Hacker News, reporting around the same time, still named "SafeW — Cloud Office Assistant."

You've seen the evidence — here's what to do next

If you're using, or have ever installed, SafeW or SafeX, don't stop at "noted" — follow the guide to deal with the permissions and sensitive screenshots.

Go to the self-help guide Learn about this malware