- Security researcher suggests Russian MAX app includes surveillance features
- MAX rejects the allegations, deeming the analysis “false”
- RKS Global confirms most of the claims, saying “none is completely false.”
A user on the Russian security forum Habr claimed that the state-backed Russian messaging service MAX included invasive tools to spy on user activities.
The researcher claims to have reverse engineered the app’s APK and discovered at least 15 security issues.
The analysis claims that the app can take screenshots of conversations, secretly record audio, create fake chats, and directly delete messages. MAX also allegedly bypassed Google Play to force updates, share address book details with its servers, and detect whether users have a virtual private network (VPN).
The MAX press team was quick to dismiss all allegations, directly addressing the post’s author and calling the analysis “false.” The company adds: “MAX does not monitor users, does not collect their personal data and does not dare to have the technical possibility of listening to calls,” insisting that “all user data is securely protected.”
These findings follow similar claims about the app’s ability to monitor VPN usage, which were first shared by another user on Habr in March. In April, Russian digital rights group RKS Global also discovered that MAX was among 30 Android apps detecting active VPN connections.
Developed by VK – the Russian tech giant behind email service Mail.ru and VKontakte – the messaging app is deeply integrated with government services. It was first launched in March 2025, and since September 2025 it has been mandatory to pre-install it on every new smartphone and tablet sold in Russia.
Last year, other security researchers found the app had “huge surveillance potential.” Most recently, US hosting infrastructure giant Cloudflare labeled MAX as “spyware”, although the label was removed 24 hours later, according to independent Russian media outlet Meduza.
Experts say no claim is ‘outright false’
Although TechRadar could not independently verify these claims, we asked the experts at RKS Global for their assessment. A spokesperson told us that of the 25 technical claims in the Habr post, “14 are fully confirmed in code, six are partially confirmed, five we could not statically verify, and none were completely false.”
RKS Global found that MAX’s alleged ability to take screenshots of conversations was the “weakest” of the allegations. “We haven’t found any code to capture a screenshot of the user’s screen and send it home,” the group’s spokesperson told TechRadar.
Experts have, however, confirmed that MAX can record user chats, delete messages and detect VPN usage. They also partially confirmed the allegation that the app can create fake chats, but only on the RuStore version – the Russian state-backed alternative app marketplace.
Overall, RKS Global points out that Habr’s post exaggerates certain allegations. “Where the article was wrong was in naming/details (obfuscated class names that drift between versions), not in substance,” they say.
It should be noted that RKS Global experts only performed static analysis. This means they decompiled the APKs to read the underlying code, but did not run the binary on a rooted device or capture live network traffic.
“The five unverified claims (call recording privacy default, TamtamSpam URI push handler, LocationRequest silent push behavior, six IP checkers, sensor fingerprinting in MyTracker) require dynamic testing on a monitored handset,” the group spokesperson told us.
TechRadar has contacted MAX for comment.
How to stay safe
As the Kremlin continues to push for MAX to become an essential application in citizens’ daily lives, security experts are sharing recommendations on how to mitigate potential risks.
- Treat MAX as a non-private channel. Unlike WhatsApp or Signal, MAX does not have end-to-end encryption by default. This means that every message, contact, and group call audio stream is theoretically likely to be accessible on the server side. “Anything you wouldn’t say in a phone call to a public carrier shouldn’t be said in MAX,” warns RKS Global.
- Keep app permissions to a bare minimum. RKS Global strongly discourages granting Contacts, Microphone, Camera, or Phone permissions unless absolutely necessary, and recommends revoking them immediately after use.
- Avoid the version distributed by RuStore. RKS Global’s findings suggest that the Google Play distribution could be slightly more secure and that the RuStore version has a noticeably larger attack surface.
- Let’s assume that using a VPN is not protection. Experts warn that a standard VPN won’t protect your privacy on this app as one might expect. This is because MAX would have the ability to detect VPN usage, disable features when a VPN is active, and use external IP verification services to discover a user’s true exit IP address.
- If you must use MAX, store it in a sandbox. Where possible, experts recommend using MAX on a secondary Android profile or dedicated device. Log in with a secondary phone number, avoid linking it to your real contacts, and turn off microphone access until the exact moment of a call.
- Avoid sharing sensitive information. For private conversations, RKS Global suggests using an end-to-end encrypted alternative, like Signal or a self-hosted Matrix client, while treating MAX exactly as you would a state-monitored phone line.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
