danrossi
commented
5 years ago Android no root firewall does this in a vpn loopback. It won't show packet captures but provides a log of the request and port. Its set to block all requests out and need to accept them. I see many right now for play store and google backup. Nothing from Samsung or Facebook yet although the Facebook background service is waiting to be accepted.
Even in flight mode I can see requests by google play store in the loopback.
I can confirm the audio recording thing turning into ads and suspect its Facebook or the dodgy Bixby recording on a loop ?
https://play.google.com/store/apps/details?id=app.greyshirts.firewall&hl=en_AU
How are you making sure and confirming that all traffic is being routed through the vpn?
Is there a reason you aren't doing an interface tcpdump directly on the device through termux or a linux chroot?