- Security researcher suggests Russia’s MAX app includes surveillance features
- MAX rejects allegations, deeming the analysis “a fake”
- RKS Global confirms most claims, saying that “none are outright false”
A user on the Russian security forum Habr has claimed that Russia’s state-backed messaging service, MAX, includes invasive tools to spy on users’ activities.
The researcher claims to have reverse-engineered the application’s APK and found at least 15 security issues.
The analysis alleges the app can take screenshots of conversations, secretly record audio, create fake chats, and erase messages directly. MAX was also allegedly found to bypass Google Play to force updates, share address book details with its servers, and detect if users have a virtual private network (VPN) enabled.
The press team at MAX was quick to reject all allegations, directly reaching out to the author of the post and calling the analysis “fake.” The company added: “MAX does not monitor users, does not collect their personal data and does not dare to have the technical possibility of listening to calls,” insisting that “all user data is securely protected.”
These findings follow similar claims regarding the app’s ability to monitor VPN usage, which were first shared by another user on Habr in March. In April, the Russian digital rights group RKS Global also found that MAX was among 30 Android apps detecting active VPN connections.
Developed by VK — the Russian tech giant behind the Mail.ru email service and VKontakte — the messaging app is deeply integrated with government services. It first launched in March 2025 and, since September 2025, has been mandatory to pre-install on every new smartphone and tablet sold in Russia.
Last year, other security researchers found the application to have “an enormous surveillance potential.” More recently, the US-based hosting infrastructure giant Cloudflare labeled MAX as “spyware,” though the label was removed 24 hours later, according to independent Russian news outlet Meduza.
Experts say no claims are “outright false”
While TechRadar could not independently verify these claims, we asked experts at RKS Global for their assessment. A spokesperson told us that of the 25 technical claims contained in the Habr post, “14 are fully confirmed in the code, six are partially confirmed, five we could not verify statically, and none was outright false.”
RKS Global found that MAX’s alleged ability to take screenshots of conversations was the “weakest” of the claims. “We did not find code that captures a screenshot of the user’s screen and sends it home,” the group’s spokesperson told TechRadar.
Experts did confirm, however, that MAX can record users’ chats, erase messages, and detect VPN usage. They also partially confirmed the allegation that the app can create fake chats, but only on the RuStore build — Russia’s state-backed alternative app market.
Overall, RKS Global points out that the Habr post does overstate some of the allegations. “Where the article was wrong, it was on naming/specifics (obfuscated class names that drift between builds), not on substance,” they say.
It is worth noting that RKS Global’s experts carried out a static analysis only. This means they decompiled the APKs to read the underlying code, but did not run the binary on a rooted device or capture live network traffic.
“The five unverified claims (call-recording privacy default, TamtamSpam URI push handler, LocationRequest silent push behaviour, six IP checkers, sensor fingerprinting inside MyTracker) require a dynamic test on a controlled handset,” the group’s spokesperson told us.
TechRadar has approached MAX for comment.
How to stay safe
As the Kremlin keeps pushing for MAX to become an essential app in citizens’ everyday lives, security experts are sharing recommendations on how to mitigate potential risks.
- Treat MAX as a non-private channel. Unlike WhatsApp or Signal, MAX has no end-to-end encryption by default. This means that every message, contact, and group-call audio stream is theoretically in scope for server-side access. “Anything you would not say into a phone call to a state-run carrier should not be said in MAX,” RKS Global warns.
- Keep app permissions to the bare minimum. RKS Global strongly advises against granting Contacts, Microphone, Camera, or Phone permissions unless absolutely needed, and recommends revoking them immediately after use.
- Avoid the RuStore-distributed build. RKS Global’s findings suggest that the Google Play distribution may be slightly safer and that the RuStore build has a materially larger attack surface.
- Assume that using a VPN isn’t a protection. Experts warn that a standard VPN will not protect your privacy on this app as you might expect. This is because MAX allegedly has the ability to detect VPN use, disable features when a VPN is active, and use external IP-checker services to uncover a user’s real exit IP..
- If you must use MAX, keep it sandboxed. Whenever possible, experts recommend using MAX on a secondary Android profile or a dedicated device. Sign in with a secondary phone number, avoid linking it to your real contacts, and disable microphone access until the exact moment of a call.
- Avoid sharing sensitive information. For private conversations, RKS Global suggests using an end-to-end encrypted alternative—like Signal or a self-hosted Matrix client—while treating MAX exactly as you would a state-monitored phone line.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
https://cdn.mos.cms.futurecdn.net/SmXKdUmXs4JoxyLYHWUivj-1920-80.jpg
Source link
chiara.castro@futurenet.com (Chiara Castro)
