Since Rapport can block anything that tries to modify or inject into the browser, other than the user, it would be easier to use social engineering. I should think it would be easy for malware to read the drive and discover any possible phone numbers for the target, and use that as well. I have a program that can read the drive and quickly(about 1 minute or less) show any phone number or credit card that has been entered through the keyboard or filed in a documents folder. Fortunately it is one of the good guys(I hope always so) and is used to find the errant information and either delete or encrypt said information.

I'm not sure Rapport blocks sensing that an SSL session in in progress, so if it doesn't, the bug could simply guess at it, and run an automated SMS message to a target phone number, in an attempt to fool the target person into thinking it was a legit out of band authentication. That is a riskier scenario for the criminal, than compared to the Zeus variant you write about however.

I wonder if the developer of PassWindow ever got his Zeus problems ironed out? I should think he could make it work with Trusteer, and take advantage of the browser bubble; but then it wasn't supposed to use a browser at all, was it?

(edited) The developer of Passwindow tells me he has a pluggin for the browser that works similar to Rapport, I'm just going by his word that it can't be manipulated. I forgot to ask if it resides at the kernel space like Rapport does.

I also have no idea if any of this is valid for mobile devices.