Russia's State Messenger Can Record You, Detect Your VPN, and Straight-Up Gaslight You

Key Takeaways

• A Russian security researcher decompiled Russia's state-backed MAX messenger and found 15 alleged surveillance capabilities, including covert audio recording, VPN detection, message deletion, and a hidden module that collects real IP addresses and reports them to a server not mentioned in the app's privacy policy.
• Digital rights group RKS Global reviewed the 25 technical claims made in the analysis and confirmed 14 outright, partially confirmed 6 more, and found none to be outright false.
• MAX, which has been mandatory on all new Russian smartphones since September 2025, denied all allegations, calling the researcher's analysis "fake."
• A separate RKS Global report found that, following an April 2026 update, all 30 of the most popular Russian Android apps now actively detect VPN connections, with MAX obfuscating its detection methods using XOR encoding to evade researchers.

When Your Phone's Default App Is Working Against You

Russia's state-backed messaging app MAX has been mandatory on every new smartphone sold in the country since September 2025. Its domain sits on the whitelist of Russia's TSPU deep packet inspection infrastructure, making it the one messenger guaranteed to keep working when censorship is at maximum. Built by VK and effectively state-controlled since 2021, with Gazprom and Rostec among its majority owners and a CEO whose father is Putin's chief of staff, it is not a neutral product by any measure.

On May 18, 2026, a security researcher published a reverse-engineering analysis of MAX's APK on Russian tech forum Habr, claiming to have found 15 significant surveillance issues. The researcher alleges the app detects VPN usage at five points and blocks access to chats until you disable it, covertly records raw audio during calls and uploads it, deletes messages directly from a user's local database via silent push notifications with no visible trace, and can remotely disable TLS certificate validation, opening connections to interception at the carrier or state level. 

A hidden module called trace_flow queries six external IP-check services to collect your real public IP, then reports that alongside your device ID, mobile operator, and VPN status to trace-flow.ru, a domain absent from MAX's privacy policy. As security researchers told Forbes when the mandatory pre-install requirement was first announced, MAX is "insecure by design to serve its purpose: people surveillance."

VPN? MAX Already Knows, and It Has Been Prepared for That

The VPN detection goes well beyond a simple flag check. At five points in the app, contacts, call history, new chat, open chat, and the call screen, MAX surfaces a prompt telling users to disable their VPN, with the server able to escalate enforcement remotely for individual accounts. Mini-apps refuse to load under any VPN connection at all.

The trace_flow SDK specifically targets split-tunnel configurations by querying external IP-checkers and comparing against the device's actual routing to identify the real exit IP regardless of what the VPN reports.

A separate HostReachabilityChecker, first identified by another researcher in March 2026, pings a server-controlled list of domains, including Telegram and WhatsApp, reporting which ones are reachable from your device along with your operator and connection type. Russia's broader VPN crackdown plans give that surveillance map obvious operational value.

MAX Calls It Fake, and the Researchers Disagree

MAX's press team called the analysis "fake," stating the app "does not monitor users, does not collect their personal data," and insisted all user data is "securely protected." Cloudflare briefly labeled MAX as spyware in May 2026, then removed the label 24 hours later without public explanation.

Just to be sure, RKS Global was asked to independently assess the 25 claims. Their finding: 14 fully confirmed in the code, 6 partially confirmed, 5 unverified without dynamic testing, and none outright false. The only place where the analysis overstated its case was saying that the errors were on naming specifics in obfuscated code, not on substance.

The Only Messenger Left Running, and It Is Watching You

Most surveillance apps are things people are tricked into installing. MAX is different: the Russian state legislated it onto every new phone, whitelisted its domain so it survives censorship events that kill everything else, and controls the company that builds it. When Russia eventually cuts off the VPN access it has been systematically dismantling since it first tried to block Telegram years ago, MAX will be the last messaging app standing, and it will already know whether you were using one.

The full RKS Global research report documents four separate exfiltration channels for VPN status, a hidden SDK reporting to a domain absent from the privacy policy, and a server that can disable certificate validation on command. That is a privacy nightmare through intent, not negligence, and Russia should be asked to justify every line of it.

Device-level VPN detection is now essentially unavoidable on any Russian app. But for people in Russia who are not about to give up and give away their digital privacy and security, all is not lost just yet.

For example, a VPN running at the router level remains undefeated, all thanks to the tun0 interface being created on the device itself. Pair that with Mysterium VPN (now at 82% off), which offers a vast pool of nearly undetectable residential IPs, and you’ve got a connection that does not answer to any government.

Where there’s a will, there’s always a way, and no government-issued messaging app can stop you.