An attacker can then compromise both factors at the same time.
To me, this weakens the point of 2FA a lot.
If you are able to use a second device for your 2FA, great but it is not always possible and 2FA on the same device is still better then no 2FA at all. I don't want to carry around a key just for all my 2FA passwords but still want to use my phone for common tasks that require 2FA.
Additionally, the keylogging threat is severely reduced against most 2fa (because the login has to happen before the user sends the OTP) and can be eliminated completely by ensuring the token code is on a separate screen and creating a 30 second lock on the account while the user is entering the code.
In what world is malware which has full control of the PC stopped by having the token code on a separate monitor but the same logical system (if that's what you're talking about).
An attacker with control of the PC can just get access to any app. on that PC...
This is fun, I have a tablet here on my desk I was given to repair a couple days ago. It's a mainstream tablet here in greece, sold for 70-90€, the sort of thing you'd buy if you are an "ordinary user" who doesn't know any better.
Well it's running a 4.x android with a custom marketplace and it is FULL OF ADWARE. Seriously. There's fullscreen porn popup ads on the OS itself. There's hundreds of spam notifications, a "fake" screenlocker which captures your taps into ads, etc, etc. Seriously, this thing is like a Windows XP SP0 PC from 2005 after heavy adblockless porn usage with flash and java on. I actually haven't seen anything like that this decade.
This is what you get if you buy an off-the-shelf tablet or phone here. This is what "ordinary users" get. We gave up control of our own devices in the name of security, yet shit like this can still happen.
(Sorry for the OT rant. Seeing that tablet pissed me off.)