Cybercriminals are exploiting phone screenshots and notes as a new source of sensitive information, cybersecurity firm Kaspersky has warned. The company says this shift comes amid a sharp escalation in cyberthreats in South Africa, where ransomware and infostealers remain among the most pressing dangers.
“Knowing the threat landscape becomes an operational concern,” said Maher Yamout, Lead Security Researcher for the Global Research and Analysis Team (GReAT) at Kaspersky, during a media briefing last week in Johannesburg.
“When you understand which threats are registered in the region, you can tune controls that matter. In our recent work, we have also supported INTERPOL-led efforts to disrupt stealer operations affecting Africa. Meanwhile, cases like SparkCat show why screenshots of passwords or recovery phrases are not safe, even if the app came from an official store.”
SparkCat is an infostealer that managed to bypass security checks to appear on both Apple’s App Store and Google Play. Once installed, it scans entire photo galleries on devices to extract sensitive data from screenshots, such as passwords or cryptocurrency wallet recovery phrases.
Its related variant, SparkKitty, goes further by exfiltrating images and device details through apps distributed via official stores and scam sites, underlining how everyday phone content can become a gateway for cybercriminals. The risk is not limited to images. Tools like notes apps, often used to save sensitive information, are equally attractive targets.
Phishing campaigns are evolving in increasingly sophisticated ways. Kaspersky has observed attackers using AI-generated text, deepfakes, and voice cloning to craft convincing lures. Attackers exploit trusted services such as Telegram pages and Google Translate links to bypass filters, while some phishing sites deploy CAPTCHA screens to avoid machine detection.
These tactics make fraudulent messages and sites difficult to distinguish from legitimate ones. On top of this, attackers are using search engine optimisation poisoning to push malicious links to the top of search results, luring users into compromised websites.
The South African threat landscape
Kaspersky reported that in the first half of 2025, 42.4-million web attacks and 95.6-million on-device attacks were detected across Sub-Saharan Africa. The region experienced more than double the number of spyware incidents compared with the same period last year, alongside a 64% rise in password stealer attacks and a 12% increase in backdoor infections.
More than 6-million online attack attempts were blocked in SA, which affected one in five users. Threats ranged from phishing scams and botnets to Remote Desktop Protocol (RDP) intrusions and network spoofing via fake Wi-Fi networks. On top of this, 10.3-million on-device incidents were stopped, targeting 21.2% of local users with malware spread through infected USB drives, CDs, DVDs, and hidden installers. Industrial environments were also in the firing line, with attacks on 27.7% of Industrial Control Systems (ICS) computers in the country blocked by Kaspersky solutions.
The threat landscape in SA is becoming more sophisticated. Backdoor detections more than doubled year-on-year (up 123%), banking trojans grew by 136%, and password stealer activity rose 122%. Spyware attacks surged 3.6 times, while exploits targeting Microsoft Office vulnerabilities climbed 14%, showing how attackers continue to abuse common business tools as entry points.
Infostealers are proving particularly damaging, spreading through phishing lures and pirated software to infiltrate PCs. Beyond stealing files, they now extend into new territory, such as scanning images and notes, making them harder for users to anticipate and avoid.
Phishing remains a major concern. Kaspersky solutions registered almost 3-million attempts in SA in the first half of 2025. While this was 29% fewer than the same period last year, campaigns are becoming more advanced, using AI-generated text, deepfakes, and voice cloning, while also abusing trusted services such as Telegram pages and Google Translate links to bypass filters. Some phishing sites even deploy CAPTCHA screens upfront to evade machine detection, tactics that mirror those already seen in local incidents.
Ransomware continues to rank among the top causes of corporate cyber incidents, with high-value government and enterprise victims targeted. According to Kaspersky, effective defence requires a multi-layered approach, including rigorous patching, strong authentication, limited remote access, and advanced detection and response solutions.
Kaspersky Next updates for business
At the briefing, Kaspersky announced updates to Kaspersky Next, a flagship cybersecurity product line that combines endpoint protection with extended detection and response (XDR) capabilities. The platform is designed to give businesses layered defence, automation, and visibility across their IT environments.
The new additions, Kaspersky Next XDR Optimum and MXDR Optimum, are aimed at small and medium-sized businesses, which often face complex attacks but lack large security teams. XDR Optimum offers AI-backed endpoint protection, automated response, cloud sandboxing, patch and vulnerability management, and tools to monitor shadow IT. MXDR Optimum builds on this foundation with a managed service model, providing 24/7 threat monitoring, expert analysis, and guided remediation.
For enterprises, Kaspersky Next XDR Expert remains the most advanced tier, offering full-scale investigative and containment capabilities. Together, the expanded portfolio is intended to help organisations of all sizes close detection gaps, respond faster, and build resilience against ransomware and other sophisticated threats.
Yamout said: “Resilience is built in layers. Map your risks, reduce the attack surface, and plan for containment. If your controls shorten the time from the first suspicious event to isolation and rollback, you change the economics for cyber attackers.”
* Visit the Kaspersky website here.