This is a very big hypothetical.

They’d need to already have access to your account credentials (email, password or at least something that is regarded the same) then have you install this malicious app, then you’d need this app to be open at the same time as your 2FA app

It’s possible, yes, it’s an awesome find, yes, and this should be patches, yes yes yes, a thousand yes

Having said that, I’m not too worried about the potential impact of this, it’ll be fine.

requires a victim to first install a malicious app

Let me stop you right there… and leave.

Duh, they’re hackers /s

deleted by creator

Dont install random shit and if possible have a phone just for 2fa

It has to be tailored to the specific hardware so I don’t think it’s a major concern for most users. It doesn’t seem like something that can be fully mitigated either, so it’s probably not worth worrying about. Side channel attacks are really cool but also kind of useless in most practical scenarios.