- Security researchers found that Russian app MAX can monitor VPN users
- MAX rejects allegations, saying data is used to ensure high-quality service
- Experts recommend removing the app from any device where a VPN is used
A user on Russian security forum Habr claimed that Russia’s state-backed messaging service MAX could monitor VPN users, saying it was turning “national messaging into a state spyware tool.”
The user posted details that he says show the app “contains a spy module.” After being contacted by TechRadar, technical experts at RKS Global – a Russia-focused digital rights organization – said they were able to “fully confirm” the findings following an independent analysis of the latest version of the app.
RKS Global told TechRadar: “MAX can determine that the user is using a VPN, identify the IP address of the VPN server, consult the user’s ISP, and detect restrictions or blocks that the user is bypassing.”
Article continues below
The app is developed by VK – the Russian provider behind the Mail.ru email and VKontakte social media services – and is integrated with government services. It was first launched in March 2025 and, since September, must be pre-installed on every new smartphone and tablet sold in Russia.
The MAX press team was quick to dismiss the tracking claims, saying that “the technical solutions used are aimed at ensuring high-quality operation of the service – primarily calls and notifications.” The company added that “they have no impact on personal data or the use of other services, including VPN.”
Russian VPN provider Paper VPN offered a more cautious perspective. In an article on
TechRadar has contacted MAX for comment.
How MAX would track VPN users – and the potential risks
According to technical analysis confirmed by RKS Global, every time a user opens the MAX application, a hidden module named HOST_REACHABILITY collects and sends details about their network environment to VK servers in Russia.
Under Russian law, VK must store and share this information with law enforcement upon request.
The data transmitted would indicate whether the user is connected to a VPN, which websites are accessible or blocked on their network, their real IP address and their ISP. Importantly, users cannot disable this monitoring.
The analysis also revealed that the module can be controlled remotely. This, RKS Global explains, indicates that targeted activation is possible. Additionally, app traffic appears to be deliberately hidden to make these controls harder to detect.
RKS Global warned that this level of tracking could lead to the deanonymization of VPN connections – a particularly serious risk for users in Russia.
Although VPNs themselves are not strictly illegal in Russia, their use is increasingly criminalized. In July 2025, the Russian Parliament approved a law to punish online searches for so-called “extremist” content and established the use of a VPN to access prohibited content as an aggravating legal circumstance.
Paper VPN noted, however, that the Kremlin already has the ability to monitor VPN usage through other services. Nonetheless, the provider echoed concerns about the broader privacy risks of using the app, simply stating that “MAX is not a secure and confidential messenger.”
These latest findings follow a separate technical study last August, which concluded that MAX had “enormous surveillance potential.”
How to stay safe
Security researchers at RKS Global urge anyone using MAX on a device with an active VPN connection to remove the app completely.
If deleting the app is out of the question, they suggest setting up a VPN at the router rather than directly on the device. If this is not an option, users should always disable their VPN before opening MAX.
There are also workarounds suitable for more advanced users, including blocking the application’s network traffic through a custom DNS or firewall. On Android, users have the option to install MAX in a separate, isolated workspace to restrict its access to the device’s broader network state.
RKS Global says that ultimately removing the software is “the only reliable mitigation measure” and warned that other apps developed by VK could include similar tracking functionality.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!