If you use two factor authentication one time passwords, such as those generated by the Google Authenticator app (among others,) a new strain of of the Cerberus banking trojan has you targeted.
The new version being sold on the dark web allows for stealing of PIN and lock patterns, abusing the Accessibility privileges to launch and grab Authenticator one time pass codes.
But really on further inspection, it allows someone to take over your device so whatever you can do on your unlocked phone they can do. Whatever you see, they can see, so while Google Authenticator is explicitly listed in the ZDNet and threatfabric writeups, any authentication code generator on your phone is at risk.
Click that last link and scroll to Cerberus. It’s basically installing a remote control app and then whatever happens happens. Stealing 2FA OTP codes may not be what it’s used for, people might start drawing Captain Morgan mustaches on your photos, but probably not.