Friendly reminder that rather than have malicious apps steal bank credentials using zero days, all the people I’ve known who’ve been scammed… voluntarily read out their OTP to said scammer, or transferred the money themselves to the scammer’s bank account using the official banking app.
Funnily and ironically enough, a phone that is rooted and fails safety net would likely not allow the bank apps to open, and thus be safer in such a case.
Also see: wrench vs RSA encryption at https://xkcd.com/538/