A piece of news is circulating the Greek media.
Allegedly a small group of Chinese were running a Stingray operation through a van. They were mimicking a cellular tower and they were sending messages(probably SMS) containing links and then they were gathering information in order to emulate banking cards and steal money.
Also recently a friend was scammed through social engineering to make some payments to Revolut by someone pretending his accountant, the system blocked only the 3rd transaction due to repetition of the same amount while the bank considered the first two as legit because they had been done normally through the e-banking.
The most strange was another scam where the credit card appeared to have been used at a POS of a carrier’s shop in a day that the shop was closed but the bank insisted that it was legit, from there on you have to go the legal way.
In any case I have verified(many more beyond the above) the key is the social engineering, they mostly tell you that due to a “corporate money transfer” you have to acknowledge the transaction and then they send you a link that emulates the bank’s website so they steal the credentials and log in and last they ask you for the SMS One Time Passcode(OTP) to verify the transaction.
The point I want to make here is that I doubt that anyone can just hack into your phone, it’s all based on trust and wrong actions. I leave an open window for the manufacturers of the devices either through employees/ex-employees scamming or selling information or the passing of information legally/illegally to some state player.