[igregoryca]

What can Bank X do to stop phone malware from scraping the user's session token from the Bank X app or website?

Yes, banks should (and sometimes do) double- and triple-check with you before allowing large transfers/withdrawals, but scammers know how to coach their victims past this. Speaking from experience.

(I also don't fully agree this is Google's responsibility, and I am not happy about this development. But there are legitimate points in favor of outsourcing the question of "will this software do nefarious things" to some kind of trusted signing authority.)

[bhhaskin]

Don't do instant non-reversible transfers. Specially for a transaction that is highly likely to be fraud. I.e. person transfers to someone you haven't done business with before or foreign accounts. Also the fraud detection needs to go both ways.

[pas]

they can wait.

how would the clueless victim check anyway?