Vulnerabilities associated with payments systems exist and hence signal the need for caution. Examples follow.
Compromised applications: The most plausible vulnerability with payment applications is the presence of other applications on a consumer's mobile phone. If a user has an alternative keyboard application, it could be a risk in terms of logging passwords and pins while performing bank transactions. It is also possible that a user inadvertently downloads an application while browsing the web that could compromise his/her phone data and transactions. With some payment wallets, anyone having casual access to a user's mobile phone could be a vulnerability as application PINs are not set up.
Man-in-middle vulnerability: In this scenario, a hacker gets access to either the servers on the telecom network, the payment wallet or the bank's networks. Listening to the communication (despite being encrypted) could still be considered a risk. This type of vulnerability could be considered to be more esoteric. Hacking of a bank's or NPCI's servers could end up exposing personal details of users, while hacking of a mobile (GSM) network (A5/1 encryption has known vulnerabilities) could expose all communication, especially the USSD-based transactions.