I don't get it. Where does the VPN traffic go through? If they can operate a gateway, then surely they can provide their own endpoints for IP discovery (and also C&C for that matter).
Until it's discovered, traffic to their own servers would appear the most innocuous. After that, the app gets kicked off the store and the server doesn't matter.
Unless it doesn't actually do any VPN and it's all just a farce, lol.
If I had a known user agent doing a curl to icanhazip or whatnot, could that eventually be blacklisted?