"Every single TAC/PAC stealing malware involved sideloading apps that are not from Google Playstore"
By now it's confirmed that a lot of banking transaction scams are due to users downloading android phone software out of Google play store. These android phone software are called apk (Android package) files. For a normal user who downloads software from play store, it is also an apk file behind the scene but the difference is the software has been somewhat vetted by Google before being released.
An apk file is actually just a software which can be installed on an Android phone. A scammer can easily embed and arm an apk file with a trojan software to read user's SMS and keystrokes. Nowadays it's harder to do as Android will prompt user to grant approval for an apk to do so. However, it's only human nature for some people to just click and allow the apk to have permissions to read SMS and keystrokes.
MyCert (Malaysia Computer Emergency Response Team), together with Bank Negara and a few Malaysia banks has issued warning on this to warn people about malicious apk files. Once the malicious apk files are installed, it can lure user to key in their banking information (login and password) and read the phone's SMS for TAC/PAC/OTP. Previously a lot of Malaysians downloaded an app related to requesting for maid cleaning services which turned out to be a bank credentials stealing apk app (Grabmaid, Maid4U, Maideasy, MyMaidKL). The scammers lured the users's to download the apk apps with discounts on getting cleaning services via the app.
One of the ways malicious apk files are transferred from scammers to users is via Whatsapp or other messaging apps. Nowadays messaging apps can allow transfer of files besides text messages.
Below article is a lady who lost RM6,000 to online banking thieves after she downloaded a malicious apk file which masqueraded behind an ebook reader app.
As the durian season nears in May/Jun/Jul/Aug, scammers have lure users to download an apk app for ordering Durian. Instead of being able to order durians from the apk app, the user's banking credentials will be stolen and the apk will be able to read the user's messages for the bank TAC/PAC/OTP.
There are many more apk files that are malicious in the form of ebook readers, comics readers, video streaming , games, product and services ordering app, investment app, crypto trading, launchers and porn apps.
Writing an Android apk app that reads SMS is very easy as it's a feature in Android (android.permission.RECEIVE_SMS). However, the apk app can't just read SMS messages by default, the apk app needs to ask the user permission/consent to do so.
Malicious apk files still do exists within Google Play Store but can be taken down once being flagged out by Google's reviewers and the internet community. In general, it's highly advisable to scrutinize every app downloaded and installation on phone. Do not install lesser known apps and never ever install apk app from outside Google Play Store. Finally, probably using an Apple iPhone would be more secure as all the apps on Apple App Store are very thoroughly vetted.
Maybank has also created a campaign to warn the public on malicious apk apps as a lot of these malicious apps targets Maybank customers since Maybank's user base the largest in Malaysia.