I just wanted to include the text of the email @GerardSweeney sent in his email to me to add context to my analysis here:
Thanks very much for offering to do this. I've attached a ZIP of the 4 PCAPs where anything actually showed up - all from my phone.
The two "After installing Outlook" ones are the hits I'm getting from my phone after I uninstalled GMail and installed Outlook.
Many thanks, Gerard
The last line is important as it demonstrates that the Gmail App was not the source of the traffic - nor is it the Outlook App. (BTW - Be aware that the Outlook App on Android and iOS does involve your mail being sent via third party servers when travelling to and from your phone, unlike Outlook on PC - but I digress).
Which is the malware talking to the Inbound mail server at Microsoft. What's interesting with this one was just after the EHLO This particular malware doesn't try sending the mail - instead it just shuts down the connection.
I've gone through my phone, removing any and every app that I don't actually use 🙂
I'll try to fire up the monitoring laptop at home tonight, and see if that's made a dent. Let's hope so - before going on the app hoovering, I'd been onto about my 7 or 8th malware detection app to no avail. Which doesn't inspire confidence in those apps, really.