I asked this question in money about telling my bank about using a second hand or grey market mobile phone. The the implication of some of the comments is that any worry is misplaced.
It seems to me that one could be exposed to financial risk by the previous owner or intermediary dealer leaving some form of hardware or software monitoring and control software on the phone. I do not use the phone browser to access the bank (or any sensitive site), or use apps with financial information. The bank sends me one time use codes and sometimes I get security calls, usually automated these days. I would guess the way to exploit such control would to read the one time codes and/or intercept the security calls, therefore potentially allowing fraudsters to access my bank account From a web search it seems one time codes seem a common attack surface.
This question seems to indicate that it would be technically possible to control a second hand phone, in that "General rule of thumb is that once the evil maid has access to the end point, it's not a trusted platform". Note I do not have the skill to take the technical measured talked about, I handle security by not giving the phone access to secure documents.
Is there any indication that this is a real world risk that a member of the public worried about the contents of their bank account should worry about? Has it been documented to have been used one of the multitude of recorded attempted to access funds remotely?
