Ironically, if everyone adopted passkeys (the real deal tied to secure enclaves or TPMs), then Android malware could not steal your credentials through any kind of social engineering.