Short answer — don’t install or use any mobile app that is not the bank’s official app (published by the bank itself), and avoid these risky categories of apps in Sri Lanka:

• Fake/clone “bank” apps or impersonators (apps that copy a bank’s name, icon or description but are published by a different developer). Sri Lanka CERT warns scammers hide behind loan/giveaway/financial apps aimed at Sri Lankans. (cert.gov.lk)
• “Quick loan” and predatory-lending apps that request bank credentials, OTPs or excessive permissions — these are a common scam vector. (CERT & multiple scam advisories). (cert.gov.lk, tech.hindustantimes.com)
• Utility/QR/finance apps on third‑party stores (or even Play Store apps laced with banking trojans) that ask for Accessibility/SMS/call permissions or ask you to “enable updates outside the store.” Researchers recently found banking trojans (Anatsa/TeaBot, Joker, Coper, etc.) hidden in apps that can steal credentials and OTPs. (tomsguide.com, zscaler.com)
• Any app that asks you to forward OTPs, share full login credentials, or to install an “update” from a web link rather than your official app store. Malware authors use overlay screens and requests for Accessibility to capture logins. (tomsguide.com, zscaler.com)
• Apps from unknown sources / sideloaded APKs (outside Google Play / App Store). These are frequently used to distribute malware and scam apps. (usa.kaspersky.com, tech.hindustantimes.com)

How to tell an app is risky (quick checklist)

• Verify the publisher name matches the bank’s official publisher and the app link is listed on the bank’s official website. (If in doubt, use the bank’s website to find the store link). (boc.lk)
• Check permissions before installing — red flags: Accessibility, SMS, call/SMS default, camera+microphone+contacts when not needed. (zscaler.com, usa.kaspersky.com)
• Read recent reviews (look for reports of credential theft, forced updates, or requests to enable unknown permissions). Don’t trust only 5‑star reviews (they can be faked). (usa.kaspersky.com)
• Only install from the official Play Store or Apple App Store and keep Play Protect / App Store protections enabled. (tomsguide.com, usa.kaspersky.com)
• Never share OTPs or full credentials by phone/WhatsApp/email — legitimate banks will not ask you to send OTPs or passwords. (CERT guidance and general banking security best practice). (cert.gov.lk, usa.kaspersky.com)

If you already installed a suspicious app

• Uninstall it immediately, change your bank passwords, contact your bank, and monitor/lock your accounts. Run a reputable mobile antivirus scan and consider notifying Sri Lanka CERT and the app store. (cert.gov.lk, usa.kaspersky.com)

Why I’m not listing specific bank apps to “avoid”

• Many complaints about poor user experience, instability or permissions exist for some Sri Lankan bank apps (users report outages and UX/security concerns), but poor reviews ≠ proven theft or malware. For safety, focus on avoiding unofficial/clone apps and the red‑flag behaviors above rather than blanket‑blacklisting a bank app without confirmed security incidents. (If you want, I can check a specific app’s developer name/Play Store listing and scanner results). (bevigil.com, reddit.com)

Useful links (for more detail)

• Sri Lanka CERT — scam alerts and fake‑loan app guidance. (cert.gov.lk)
• Recent research on Android banking trojans (Anatsa/TeaBot, Joker, etc.). (tomsguide.com, zscaler.com)
• How to spot fake apps (Kaspersky / general guidance). (usa.kaspersky.com)

If you’d like, tell me one or two app names you’re worried about (exact name or developer as shown in the Play/App Store) and I’ll check whether they look legitimate and if there are any public security warnings about them.