Re: Can't see that happening - 2FA
Most phones have a built in web browser. So software with enough access could connect to a web site, invoke 2FA, catch the incoming SMS and paste the code back into the web site.
Which is why 2FA using SMS is not a fully secure system because you need two clearly different delivery channels for the two factors, not just two applications on the same device.