I can't comment on the general trend, but this specific one seems a bit too circumstantial to be of use for a serious spying effort. You'd have to have the spyware running parallel to the apps usong passwords you want to steal in a specific way.

The risk exists, which is bad enough for stochastic reasons (eventually, someone will get lucky and manage to grab something sensitive, and since the potential damage from that is incalculable, the impact axis alone drives this into firm "you need to get that fix out asap), but probably irrelevant in terms of consistency, which would be what you'd need to actually monitor anyone.

If you manage to grab enough info to crack some financial access data, you can steal money. If you can take over some legit online account or obtain some email-password combo, you can sell it. But if you want to monitor what people are doing in otherwise private systems, you need some way to either check on demand or log their actions and periodically send them to your server.

It would be far more reliable to have injection backdoors to allow you access by virtue of forcing a credential check to come up valid than to hope for the lucky grab of credentials the user might change at an arbitrary moment in time.

Check out the documentary Zero Days (2016) if you haven’t already. That’s not really a tinfoil hat take these days IMO.

On the plus side now we can steal the info from the criminal's computers. The cycle of internet life...