- Security researcher suggests Russia’s MAX app includes surveillance features
- MAX rejects the accusations and considers the analysis “false”
- RKS Global confirms most claims and says “none are completely false”
A user on Russian security forum Habr claimed that the Russian state-backed messaging service MAX includes invasive tools to spy on user activities.
The researcher claims to have reverse engineered the app’s APK and found at least 15 security issues.
The analysis alleges that the app can take screenshots of conversations, secretly record audio, create fake chats, and delete messages directly. MAX was also found to bypass Google Play to force updates, share address book details with its servers, and detect whether users have a virtual private network (VPN) enabled.
MAX’s press team was quick to reject all allegations, directly contacting the author of the publication and calling the analysis “false.” The company added: “MAX does not monitor users, does not collect their personal data and does not dare to have the technical possibility of listening to calls,” insisting that “all user data is securely protected.”
These findings follow similar claims about the app’s ability to monitor VPN usage, which were first shared by another user on Habr in March. In April, Russian digital rights group RKS Global also discovered that MAX was among 30 Android apps that detected active VPN connections.
Developed by VK, the Russian tech giant behind email service Mail.ru and VKontakte, the messaging app is deeply integrated with government services. It was first released in March 2025, and since September 2025, it is mandatory to pre-install it on every new smartphone and tablet sold in Russia.
Last year, other security researchers found that the app has “enormous surveillance potential.” More recently, US-based hosting infrastructure giant Cloudflare labeled MAX as “spyware,” although the label was removed 24 hours later, according to Russian independent news outlet Meduza.
Experts say no claim is ‘totally false’
While TechRadar was unable to independently verify these claims, we asked the experts at RKS Global for their assessment. A spokesperson told us that of the 25 technical claims contained in Habr’s post, “14 are fully confirmed in code, six are partially confirmed, five we could not statically verify, and none were completely false.”
RKS Global found that MAX’s alleged ability to take screenshots of conversations was the “weakest” of the claims. “We didn’t find any code that captures a screenshot of the user’s screen and sends it home,” the group’s spokesperson told TechRadar.
However, experts confirmed that MAX can record user chats, delete messages, and detect VPN usage. They also partially confirmed the allegation that the app can create fake chats, but only in the RuStore version, Russia’s state-backed alternative app marketplace.
Overall, RKS Global notes that Habr’s post exaggerates some of the allegations. “Where the article was wrong, it was in names/specifics (obfuscated class names that vary between builds), not in substance,” they say.
It should be noted that RKS Global experts performed only a static analysis. This means they decompiled the APKs to read the underlying code, but did not run the binary on a rooted device or capture live network traffic.
“The five unverified claims (default call recording privacy, TamtamSpam URI push handler, LocationRequest silent push behavior, six IP checkers, sensor fingerprinting within MyTracker) require dynamic testing on a controlled phone,” the group’s spokesperson told us.
TechRadar has approached MAX for comment.
How to stay safe
As the Kremlin continues to push for MAX to become an essential application in citizens’ daily lives, security experts are sharing recommendations on how to mitigate potential risks.
- Treat MAX as a non-private channel. Unlike WhatsApp or Signal, MAX does not have end-to-end encryption by default. This means that, in theory, every message, contact, and group call audio stream is within the scope of server-side access. “Everything you wouldn’t say in a phone call to a state-owned company shouldn’t be said at MAX,” warns RKS Global.
- Keep app permissions to a minimum. RKS Global strongly advises against granting permissions to Contacts, Microphone, Camera or Phone unless absolutely necessary, and recommends revoking them immediately after use.
- Avoid build distributed by RuStore. RKS Global’s findings suggest that the Google Play distribution may be slightly more secure and that the RuStore version has a materially larger attack surface.
- Assume that using a VPN is not a protection. Experts warn that a standard VPN won’t protect your privacy in this app as you might expect. This is because MAX supposedly has the ability to detect VPN usage, disable features when a VPN is active, and use external IP verification services to discover a user’s actual outgoing IP.
- If you must use MAX, keep it in the sandbox. Whenever possible, experts recommend using MAX in a secondary Android profile or on a dedicated device. Sign in with a secondary phone number, avoid linking it to your real contacts, and disable microphone access until the exact moment of a call.
- Avoid sharing confidential information. For private conversations, RKS Global suggests using an end-to-end encrypted alternative, such as Signal or a self-hosted Matrix client, while treating MAX exactly as you would a state-monitored phone line.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
