While this is definitely not a good thing, the "bad guys" still have to already know your log in credentials too. I get a SMS for 2fa from my bank so I can relate to this article. I would not accept this service if they used phone calls instead. The SMS are also a weak point, but I repeat that the thief MUST have all the credentials for this to be of any value. It is up to me now to learn and defend against this malware. More reading to do! ps - you would think that android would have quickly added this malware into the "nightly scans" for AV verification. I'll be checking for sure. Thanks.