I’m not sure I get the threat posed by an app that presents a fake apple pay button on screen. You push the button. So what? What happens next?
There are several other things a malicious app can do with fake UI (asking for a password is one), but I don’t see the threat posed by an ok button. The app could fake not just the button, but the tap as well if it wanted.
I think it’s not a fake apple pay button, a bad app could create a fake “Do you want to?” button that maliciously maps your OK press onto a hidden Apple pay button. You are charged and don’t know it.
But apps can’t hide the Apple Pay dialog. It’s always on top.
I just realized this the Apple-elegant version of control-alt-delete! (And given the ridiculous placement of volume-up and power buttons, nearly as awkward.)