It's not that hard
"Can someone explain how, if this works"
Imagine going do a map service website over https. Your browser will load the tiles from the website over TLS links. In the extreme case of bad HTTP(s) implementations, you create a connection, send your get, and get your tile. Since it's encrypted you don't know what's inside that tile.
However all those tiles are encoded in JPEG (or PNG) which means that their filessizes differ. Encryption doesn't obscure the filesize so you'll be able to see how big that tile was. Since your browser likely loads tiles from roughly the same location, you can use the file sizes to find out what tiles were loaded.
With malware the hope is that the malware will always behave predictibly. For example an initial state always loads a secondary stage that is 123532 octets big, then after 3,21 seconds a terciary stage that's 4235431 octets in size. The idea is that if you 2 downloads 3,21 seconds appart of those sizes in succession, you'll have detectet the malware...
...obviously that's extremely trivial to circumvent, just add padding or other forms of randomness.
This is not a new attack for encryption, but a common thing encryption cannot do by itself.