It comes hidden in an app and stealthily trawls through your smartphone, capturing text from stored photographs.
It’s an optical character recognition Trojan stealer known as SparkCat and it’s worrying cybersecurity experts, who say it has made its way into Google Play and the Apple AppStore.
Through SparkCat, a criminal can capture the text from a scanned bank confirmation letter or pick up a password that appeared on a screenshot. All of this would allow an attacker to access a mobile app.
Criminals are increasingly targeting banking apps in South Africa. The national financial ombud scheme (NFO) reported a 73% increase in digital banking fraud complaints between 2024 and 2025. This exceeds ATM fraud cases over the same period. Banking apps also allow criminals to target virtual cards. “After gaining access to a customer’s digital banking profile, fraudsters can create virtual cards and then use those credentials to do transactions,” says Nerosha Maseti of the NFO. “This happens when bank customers have compromised their confidential access credentials, shared one-time PINs [OTPs] or accepted authentication messages for the creation of virtual cards.”
And criminals are still using older methods and tricks to con their marks. These include phishing, luring people to fake websites or to download malicious files; voice phishing, or vishing, on phone calls; and smishing, by way of SMS.
The South African Banking Risk Information Centre has also warned consumers about quishing, where attackers use QR codes to get users to download malware.
Lukas van der Merwe of Cybercom says criminals are combining these forms of attack to make them more effective. “What we see are very complex, well-thought-out and thorough strategic attacks that focus much more on selecting sensitive and confidential data,” he says. “They hide their presence better, so they’re not discovered right away.”
Sharon Knowles, founder of Da Vinci Forensics & Cybersecurity, says fraudsters typically operate in small, organised groups and take advantage of having insiders in call centres, retail outlets and banks. “Victims often report that they never shared their PINs or OTPs, only to later discover their mobile numbers were SIM-swapped hours before funds were stolen,” she says. “Money is then rapidly siphoned into prepaid wallets or cryptocurrency platforms, complicating recovery.”
Meanwhile, South African businesses continue to be the victims of ransomware attacks. This is when malware is used to prevent the user from accessing their data until a ransom is paid. As with cellphone fraud, the criminals use social engineering to glean information from the company and their employees to launch their attack.
Van der Merwe says: “It’s not a question of whether a company will suffer a breach. More and more, it’s becoming a reality that a company will suffer a breach of some sort.”
Many companies opt to pay the ransom, and some cybersecurity firms have negotiators who haggle with the criminals to bring the price down. Last year the median South African ransom payment was $452,000 and the average cost to recover from a cyberattack was $1.31m, according to the Sophos State of Ransomware in South Africa 2025 report.
To protect against such attacks, says Zamani Ngidi, business unit manager of M&A and cybersolutions at Aon South Africa, companies use “a blend of cloud and cold storage”. Cold storage involves storing data on magnetic tape, so it’s not connected to any network.
There have been some successes in the fight against cybercrime. Between June and August, Interpol’s Operation Serengeti netted 1,209 cybercriminals in 18 African countries. They had robbed nearly 88,000 victims.
But what worries cybercrime investigators is what lies ahead. Van der Merwe and Ngidi say criminals have yet to fully exploit AI. Then there’s quantum computing; supercomputers could be used to crack passwords in milliseconds.
Knowles says: “You’ve just got to do what you can, because cybercrime evolves all the time.”
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.