Russian Researcher Alleges MAX App Includes Surveillance Features, VPN Detection Capabilities
Published
Key Takeaways
- MAX app surveillance claims: Researcher alleges MAX records chats, detects VPNs, and bypasses standard Android update protections.
- Code review findings: RKS Global confirmed several allegations after static analysis of MAX’s Android application code.
- Privacy concerns grow: Experts warn MAX lacks default end-to-end encryption and may expose sensitive user communications.
A Russian cybersecurity researcher has claimed that Russia’s state-backed messaging platform, MAX, contains several features that could potentially be used to monitor users and collect sensitive data. The allegations were shared in a detailed post on the Russian tech forum Habr, where the researcher said they reverse-engineered the app’s Android APK and identified at least 15 security-related concerns.
According to the analysis, the app may have the ability to record audio, erase messages, create fake chats, and detect whether users are connected to a VPN. The researcher also alleged that MAX can bypass Google Play’s standard update system to force updates directly and may share contact book data with remote servers.
MAX has denied the accusations, calling the report “fake” and insisting that the app neither monitors users nor collects personal data. The company also stated that it does not have the technical capability to listen to calls and said all user information is securely protected.
The claims arrive amid growing scrutiny of MAX, which has increasingly become part of Russia’s digital ecosystem. The app was developed by VK, the Russian technology company behind Mail.ru and VKontakte, and launched in March 2025. Since September 2025, MAX has reportedly been mandatory on all newly sold smartphones and tablets in Russia.
Digital Rights Group Says Several Claims Are Supported by Code Analysis
While the allegations have not been independently verified through live testing, Russian digital rights organization RKS Global reviewed the findings and said many of the technical claims appear to be supported by the application’s code.
According to the group, out of 25 technical allegations listed in the Habr post, 14 were fully confirmed during static analysis, six were partially confirmed, and five could not be verified without dynamic testing. RKS Global added that none of the claims were found to be “outright false.”
The organization noted that the accusation regarding automatic screenshot capture appeared to be the weakest point in the report. Researchers said they did not find evidence showing that MAX secretly captures users’ screens and sends screenshots to external servers.
However, RKS Global stated that the app does appear capable of recording chats, deleting messages, and identifying active VPN connections. The group also partially confirmed allegations related to fake chat creation, though researchers said this behavior was observed only in the RuStore version of the app, Russia’s state-backed alternative to Google Play.
The experts explained that their work involved static analysis only, meaning they decompiled the APK files and reviewed the code without running the application on a live device or monitoring real-time network activity. Some allegations, including claims related to call-recording defaults, sensor fingerprinting, and external IP-checking services, would require dynamic testing on controlled devices for confirmation.
MAX’s Growing Role Raises Privacy Concerns
The latest allegations add to earlier reports surrounding MAX and VPN monitoring. Earlier this year, another Habr user claimed the app could identify VPN usage. In April, RKS Global also reported that MAX was among roughly 30 Android apps capable of detecting active VPN connections.
The app has already attracted attention from security researchers due to what some described as “significant surveillance potential.” More recently, infrastructure company Cloudflare briefly labeled MAX as “spyware,” although that label was reportedly removed within 24 hours, according to independent Russian outlet Meduza.
Privacy advocates argue that the app’s deep integration with state services has increased concerns around user data security and online monitoring.
Security experts also warned that MAX should not be considered a private communication platform. Unlike apps such as Signal or WhatsApp, MAX reportedly does not offer end-to-end encryption by default, meaning communications could theoretically be accessible on the server side.
Researchers further advised users to limit app permissions wherever possible, avoid granting access to contacts, microphones, and cameras unless necessary, and revoke permissions after use. They also suggested avoiding the RuStore version of the app, which they believe may expose users to a larger attack surface compared to the Google Play release.
Experts additionally warned that VPN usage may not fully protect privacy within the app, as MAX allegedly has the ability to detect active VPN connections and potentially identify users’ real IP addresses through external services.
For users who must use the platform, researchers recommended running MAX on a secondary device or isolated Android profile, using a separate phone number, and avoiding the sharing of sensitive information through the app.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular