[acdha]

How did you determine that a connection was malicious? Modern apps are noisy with all of the telemetry and ad traffic, and that includes a fair amount of background activity. If all you’re seeing are connections to AWS, GCP, etc. it’s highly unlikely that it’s a compromise.

Similarly, when you talk about it going away after a reset that seems more like normal app activity stopping until you restart the app.

[walterbell]

Summary: https://news.ycombinator.com/item?id=46998191

[acdha]

That doesn’t have any details supporting the belief that this traffic was malicious or a sign of compromise. I’d easily believe that it’s picking up developer telemetry or ad networks but without some hard evidence this sounds like misinterpretation rather than a compromise.