It looks like they are doing it after app install malicious patch. This patch asks for SMS and accessibility access to gain privileges necessary to get into the banking apps. I haven’t thoroughly read it but just looking at the attack chain that’s what I gleaned.
For a real answer here’s the Zscaler blog write up: https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-campaigns-android-banking-malware-active-google
It looks like they are doing it after app install malicious patch. This patch asks for SMS and accessibility access to gain privileges necessary to get into the banking apps. I haven’t thoroughly read it but just looking at the attack chain that’s what I gleaned.
Ugh, TIL zscaler actually does more than just send my PII to the USA without my consent.