I love this sort of thing. I'd love to get into this sort of research. No idea where to start to either acquire the skills or once acquired target the right systems/apps. I can still dream though.
Any pointers on where you'd start would be appreciated though.
In this case, the whole process was just "let's see what my device is doing" and then digging until the unexplained is explained. Your devices are doing lots of weird things, talking to tracking servers, fetching data from unexpected places, you just need to take a look and start wondering!
Running Wireshark or an equivalent smartphone app is easy. Understanding it probably a lot less so, but network protocols can be googled. One trick to not get overwhelmed too much is to not use the device you're analyzing too much so you only collect background traffic. Another is to filter out traffic you can't do much with. A lot of traffic is encrypted by TLS these days, but a lot of data is still visible, like in this case a random domain that you shouldn't be seeing. However, except for that very first TLS packet, you won't be able to see anything interesting in the rest of the stream, which can be gigabytes in size!
The real challenge for network analysis is that 99% of the time, your network is not doing anything strange (or at least interesting). If you want to find something, you can try seeking out sketchy apps (free VPNs are a nice target, they're almost always shady) but there's no guarantee that you'll find anything. Or you can dive deeper if you think there's more to be found.
In the case of Android apps, those are often easily decompiled into either VM byte code (smali) or even obfuscated Java code. apktool, jd-gui, or ghidra can usually get some kind of readable-ish code out of an app. There's also an excellent online APK decompiler if you trust that. Grabbing the APK is quite easy, you can find apps that do this or otherwise you can use Android's debugging tools to pull the app off your phone.
Depending on how obfuscated your target is, complete reversing may be difficult. You can often take shortcuts, though, like looking for interesting strings or setting files.
Another nice trick to employ when reversing applications is to run Frida. Frida is a toolkit for injecting arbitrary code into another process. You can either inject Frida into an APK you've downloaded, or if you've got a rooted device run it against any unmodified app. It works on other platforms as well! With Frida you can write Javascript in the Chrome dev tools to control the app, list objects and functions, call random APIs, whatever you need, all without decompiling.
Another trick I like to employ is using mitmproxy to man-in-the-middle apps so you see every HTTPS call they make, the responses, and you can even mess with the traffic (change responses, alter requests, you name it). The tricky part is to get the app to accept your TLS interception, but there are Frida scripts that will disable validation of TLS certificates in all manner of apps, giving you the ability to inspect them.
That last part can also be very useful if you're reverse engineering an API. I've written a blog post about a Norton VPN where I did exactly that, not because Norton was being shady, but because I wanted to use the OpenVPN config file on my laptop and they didn't provide me with the necessary files (even though they totally could have).
Not the best writing, it was mostly a recap of the things I did for myself if I ever needed to fetch that file again, but I think the core concepts may still be useful.
I'd literally start any training by asking chatGPT, probably using phind to ensure it's got more up to date info. I wouldn't trust everything it says, but it can help you maybe find your weaknesses on a topic and formulate a self education plan.
Any pointers on where you'd start would be appreciated though.