[noname120]

Note that for TOTP the attack is only feasible if the font and pixel-perfect positions on the screen are known:

> The attacks described in Section 5 take hours to steal sensitive screen regions—placing certain categories of ephemeral secrets out of reach for the attacker app. Consider for example 2FA codes. By default, these 6-digit codes are refreshed every 30 seconds [38]. This imposes a strict time limit on the attack: if the attacker cannot leak the 6 digits within 30 seconds, they disappear from the screen

> Instead, assuming the font is known to the attacker, each secret digit can be differentiated by leaking just a few carefully chosen pixels

[x0x0]

Since there's only 3 or so (google, microsoft authenticator, okta, anyone else?) apps in widespread use, that seems not actually like an obstacle?

[goatsi]

They also need to know where in the app the code for each service is displayed, so they are grabbing the code for your bank and not for your World of Warcraft account.

[x0x0]

which they can read from the same fixed layout/offsets displaying it to you

[efreak]

I assume Authy is fairly high use. I use Aegis usually, but I likely it has very little usage share.