- Security researcher suggests Russia’s MAX app contains surveillance capabilities
- MAX denies claims and considers analysis “a fake”
- RKS Global confirms most claims, saying “none are outright false”
A user on the Russian security forum Habr has claimed that Russia’s state-backed messaging service, MAX, includes invasive tools to spy on users’ activities.
The researcher claims to have reverse-engineered the application’s APK and found at least 15 security issues.
The analysis claims that the app can take screenshots of conversations, secretly record audio, create fake chats and delete messages directly. MAX was also allegedly found to bypass Google Play to force updates, share address book details with its servers and detect whether users have a virtual private network (VPN) enabled.
The press team at MAX was quick to deny all claims, contacting the author of the post directly and calling the analysis “false”. The company added, “MAX does not monitor users, does not collect their personal data and does not dare to have the technical ability to listen to calls,” and insisted that “all user data is securely protected.”
These findings follow similar claims about the app’s ability to monitor VPN usage that were first shared by another user on Habr in March. In April, Russian digital rights group RKS Global also found that MAX was among 30 Android apps that detected active VPN connections.
Developed by VK — the Russian tech giant behind the Mail.ru email service and VKontakte — the messaging app is deeply integrated with public services. It was first launched in March 2025 and since September 2025 has been mandatory to pre-install on every new smartphone and tablet sold in Russia.
Last year, other security researchers found the application had “enormous surveillance potential.” Recently, US-based hosting infrastructure giant Cloudflare labeled MAX as “spyware”, although the label was removed 24 hours later, according to independent Russian news outlet Meduza.
Experts say no claims are “outright false”
While TechRadar couldn’t independently confirm these claims, we asked experts at RKS Global for their take. A spokesperson told us that of the 25 technical claims contained in the Habr post, “14 are fully confirmed in code, six are partially confirmed, five we could not verify statically, and none were outright false.”
RKS Global found MAX’s alleged ability to take screenshots of conversations to be the “weakest” of the claims. “We did not find code that captures a screenshot of the user’s screen and sends it home,” the group’s spokesperson told TechRadar.
However, experts confirmed that MAX can record users’ chats, delete messages and record VPN usage. They also partially confirmed the claim that the app can create fake chats, but only on the RuStore building – Russia’s state-backed alternative app market.
All in all, RKS Global points out that the Habr post does not exaggerate some of the claims. “Where the article was wrong, it was about naming/specifications (obfuscated class names that slip between builds), not substance,” they say.
It is worth noting that RKS Global’s experts have only performed a static analysis. This means they decompiled the APKs to read the underlying code, but they didn’t run the binary on a rooted device or capture live network traffic.
“The five unverified claims (default call recording privacy, TamtamSpam URI push handler, LocationRequest silent push behavior, six IP checks, sensor fingerprint inside MyTracker) require a dynamic test on a controlled handset,” the group’s spokesperson told us.
TechRadar has reached out to MAX for comment.
How to stay safe
As the Kremlin continues to push for MAX to become an essential app in citizens’ everyday lives, security experts are sharing recommendations on how to mitigate potential risks.
- Treat MAX as a non-private channel. Unlike WhatsApp or Signal, MAX has no end-to-end encryption by default. This means that all messages, contacts and audio streams for group calls theoretically have access to the server side. “Anything you wouldn’t say in a phone call to a state-run carrier shouldn’t be said in MAX,” warns RKS Global.
- Keep app permissions to a minimum. RKS Global strongly advises against granting permissions to contacts, microphones, cameras or phones unless absolutely necessary and recommends revoking them immediately after use.
- Avoid the RuStore distributed build. RKS Global’s findings suggest that the Google Play distribution may be slightly more secure and that the RuStore building has a significantly larger attack surface.
- Assume that using a VPN is not a protection. Experts warn that a standard VPN will not protect your privacy on this app as you might expect. This is because MAX reportedly has the ability to detect VPN usage, disable features when a VPN is active, and use external IP checking services to uncover a user’s real exit IP.
- If you must use MAX, store it in a sandbox. Whenever possible, experts recommend using MAX on a secondary Android profile or a dedicated device. Sign in with a secondary phone number, avoid associating it with your real contacts, and disable microphone access until the exact moment of a call.
- Avoid sharing sensitive information. For private conversations, RKS Global suggests using an end-to-end encrypted alternative—like Signal or a self-hosted Matrix client—while treating MAX exactly as you would a government-monitored phone line.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
