I doubt your implication that they've broken the TLS layer just by having a honeypot. It sounds like they are taking advantage of exploits to own the phone itself based on their power on/off ability and may be stealing credentials straight out of memory. Or they are putting up a fake gmail honeypot as well and grabbing the passwords from there, but this seems less likely since most people use apps on their phones. Worst-case they actually do have a Google certificate and have in fact broken Google's TLS.