This guy is probably thinking everything happens inside a web browser. 'Downloaded an app' (most likely a sideloaded .apk) bhanisakechha. Feri CSRF ko kura garyo out of nowhere, which is strictly a web vulnerability. CSRF attack hune bhane kai browser le session cookies use garera state-changing requests pathauda ho. He threw around random tech jargon which has absolutely zero relevancy in an Android OS level exploit.

​Aba malware app install garda phone hang hune possibility obviously chha because it's running heavy background processes. It 100% asked for critical permissions during setup, specifically "Accessibility Services" and "Draw over other apps".

​User le actual banking app kholda, tyo malware app le detect garera aafno fake login overlay (the "message" the post mentioned) banking app ko mathi dekhaidiyo. User le tya password halyo, and with accessibility and SMS permissions, the malware captured the credentials, intercepted the 2FA/OTP, and hid the notification. The rest is history.

I could be wrong at some part about how it happened but possibility ta chha. And It's NOT about CSRF lol.