Intuitively I'd say no, there's no way it's a significant amount of fraud. Number one because, as you said, it's rare, but number two because you just don't need a rooted phone to scam someone. You can very easily scam people on perfectly legitimate phones and with perfectly legitimate apps.

Keyloggers would be considered a form of fraud, right? Customers can be protected by not allowing rooted phones which may contain malware and steal credentials, but then again Windows is a nightmare for security and nobody is banning banking from Windows.

Right, but you don't need a rooted phone to keylog someone. You can just ask their password over the phone, and people do, and it works. Or, you can install a plethora of perfectly legitimate remote access apps available on the play store.

I worked in fraud compliance architecture at a bank.. they didn't checkbox anything. They had a lot of gathered data and justification for the limits they enabled. I'm sure not every bank does it that way, but they weren't trying to limit legit customer access, and they pained at enforcing limitations like this.

Yeah I call bullshit. The number of people with rooted phones is going to be way less than 1%, and the number of those that are unsophisticated enough to fall for scams/malware is going to be miniscule.

This is pretty clearly a case of "oh there's an option here that says 'allow on rooted phones', do we want to allow that?" "No that sounds scary and risky! Of course not. We must not allow it."

The option is there, and nobody is going to try to sell not ticking it.

Can you share what limits they did and did not impose?

Devices that are easily rooted absolutely originate fraud. It's not like this is some wild claim. Look at how much financial fraud is driven by botnets running on old Windows PCs.

Also even if they aren't hijacked devices, any kind of phone farm is harder to run with locked down devices.

In my experience, people don't really care about rooted devices and non-stock Android -- if those devices are actually phones in the hands of human users.

The big fraud vector is running emulators in datacenters or skipping running the app entirely and talking directly to endpoints. Requiring that an entity making a request is from a real phone and is from (approximately) your app adds friction and is effective at reducing fraud.

I work at Grab (SEA rideshare and licensed bank, but not licensed in VN).

A significant amount of fraud comes from scammers convincing victims to installed malicious apps. They fake being a customer service provider.

Banks don't want their customer's to lose their money and they don't have the tools to protect them from themselves. For all the privacy reasons, app stores don't even banks enough tools to identify and block this fraud.

Tricking someone into installing a malicious app usually doesn't involve them having a third-party or modified operating system on their phone. I'm asking about that because I believe it's a hypothetical risk rather than a problem in practice and I'm curious about any evidence to the contrary.

Just a random example,

Drivers buy modified versions of our mobile app, because they think it will give them advantages over other drivers. These apps are side-loaded (not published in the app store).

Thanks for the additional detail. Do those apps actually give them advantages, or are they scams/malware?

I wasn't asking about sideloading apps though. I was asking about modified operating systems like LineageOS and GrapheneOS, or root via OS modifications like Magisk and KernelSU.