Short answer: don’t rely on a fixed blacklist — avoid unofficial or cloned apps, apps from unknown developers, apps that request unnecessary permissions, and any bank/wallet app with repeated recent reports of fraud or severe bugs. In Sri Lanka that practically means:

• Avoid any app that is not the official app published by the bank/issuer on Google Play or Apple App Store (look for the bank’s verified developer name). Fake “clone” banking apps are a common scam vector. (axisbank.com)

• Avoid installing banking/wallet apps from third‑party APK sites or links in social media/WhatsApp. Scammers distribute near‑identical APKs that exfiltrate OTPs, SMS and credentials. (axisbank.com)

• If an official bank app suddenly asks for unrelated, highly sensitive permissions (call logs, SMS, full device access) that its iOS version or previous versions did not request, treat it as suspicious and contact the bank before using it. Community reports show Sri Lankan bank apps sometimes request odd permissions or have buggy Android behavior — exercise caution and confirm with the bank. (Reddit.com)

• Avoid little‑known non‑bank “wallet” apps or payment apps that are not clearly regulated/registered (no corporate identity, no contact/support, no clear links to LankaPay/Central Bank oversight). New government/large‑institution platforms (e.g., GovPay) will be safer because they are official — prefer those over random startups unless you can verify regulatory status. (en.Wikipedia.org)

Practical checklist (do these before installing or using any Sri Lanka mobile banking/payments app)

1. Verify developer: install only from Google Play / App Store and confirm the developer name matches the bank or an official vendor. Look for the verified badge on iOS and the publisher info on Android. (axisbank.com)
2. Confirm via bank channels: check the bank’s official website or call their published support number to confirm the app name and links. Don’t follow links sent in unsolicited messages. (axisbank.com)
3. Check recent reviews/complaints (last 3–6 months): avoid apps with recurring security complaints (unauthorised debits, OTP interception) or persistent critical bugs. Community threads show repeated usability/permission complaints for some Sri Lankan bank apps. (Reddit.com)
4. Inspect permissions: a banking app should not need SMS/call logs or continuous background device access in most cases. If it does, ask why before granting. (axisbank.com)
5. Keep OS and apps updated, use official app stores only, and enable device protections (screen lock, biometrics, Play Protect / App Store protections). (axisbank.com)

Examples and context

• Reports from Sri Lankan users show frustration and occasional security/usability issues with some well‑known bank apps (e.g., user threads cite Commercial Bank, BOC, Sampath issues). Those reports mostly reflect poor UX, permission questions and intermittent bugs — not necessarily malware — but repeated complaints are a warning sign to verify and be cautious. Don’t rely only on one person’s comment; check multiple recent reviews and official bank statements. (Reddit.com)

If you want, I can:

• Check the App Store / Play Store pages for a specific Sri Lankan bank or wallet app and flag suspicious permissions, recent critical reviews, or whether the publisher is official. (I’ll cite the store pages and recent advisories.)