- Security researchers found that Russia’s MAX app can monitor VPN users
- MAX denies claims and says data is used to ensure high-quality service
- Experts recommend removing the app from any device where a VPN is used
A user on the Russian security forum Habr has claimed that Russia’s state-backed messaging service, MAX, can monitor VPN users, claiming it turns “the national messenger into a state spyware tool.”
The user published details that they say show the app “contains a spy module.” After being contacted by TechRadar, technical experts at RKS Global – a digital rights organization focused on Russia – said they were able to “confirm” the findings after an independent analysis of the app’s latest version.
RKS Global told TechRadar: “MAX can determine that the user is using a VPN, identify the IP address of the VPN server, see the user’s ISP and discover what restrictions or blocks the user is bypassing.”
The article continues below
Developed by VK – the Russian provider behind the Mail.ru email and VKontakte social media services – the app is integrated with public services. It was first launched in March 2025 and, since September, must be pre-installed on every new smartphone and tablet sold in Russia.
The press team at MAX was quick to dismiss tracking claims, claiming that “the technical solutions used are aimed at ensuring high-quality service – primarily calls and notifications.” The company added that “they have no bearing on personal data or the use of other services, including VPN.”
Russian VPN provider Paper VPN offered a more cautious perspective. In a post on X, the team points out that while MAX does indeed connect to foreign servers, there are “no indications that this data is being collected specifically for antiblock bypass analysis.”
TechRadar has reached out to MAX for comment.
How MAX allegedly tracks VPN users – and the potential risks
According to the technical analysis confirmed by RKS Global, every time a user opens the MAX app, a hidden module named HOST_REACHABILITY collects and sends details about their network environment to VK servers in Russia.
According to Russian law, VK must store and share this information with law enforcement authorities upon request.
The transmitted data reportedly includes whether the user is connected to a VPN, which websites are available or blocked on their network, their real IP address and their ISP. Crucially, users cannot disable this monitoring.
The analysis also found evidence that the module can be controlled remotely. This, explains RKS Global, indicates that targeted activation is possible. Additionally, the app’s traffic appears to be intentionally obfuscated to make these controls harder to detect.
RKS Global warned that this level of tracking could lead to the de-anonymization of VPN connections – a particularly serious risk for users in Russia.
Although VPNs themselves are not strictly illegal in Russia, their use is increasingly being criminalized. In July 2025, the Russian parliament approved a law to penalize online searches for so-called ‘extremist’ content and established the use of a VPN to access banned material as an aggravating legal factor.
However, Paper VPN noted that the Kremlin already has the ability to monitor VPN usage through other services. Still, the provider echoed concerns about the broader privacy risks of using the app, saying simply that “MAX is not a secure and confidential messenger.”
These latest findings follow a separate technical study from last August, which concluded that MAX possesses “tremendous surveillance potential.
How to stay safe
Security researchers at RKS Global encourage anyone using MAX on a device with an active VPN connection to remove the application completely.
If deleting the app is out of the question, they suggest setting up a VPN at the router level instead of directly on the device. If that is not an option, users should consistently disable their VPN before opening MAX.
There are also some workarounds suitable for more advanced users, including blocking the app’s network traffic via a custom DNS or firewall. On Android, users have the option to install MAX in a separate, isolated workspace to limit its access to the device’s wider network state.
RKS Global says removing the software is ultimately “the only reliable remedy” and warned that other VK-developed apps may contain similar tracking functionality.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
