September 2025
Testing for Surveillance in MAX on Android and iPhone
Context
In March 2025, VK announced the beta release of the Russian super-app MAX, and by mid-August 2025 the messenger’s press office reported 18 million users. Thanks to administrative pressure and an aggressive media campaign, the app quickly attracted a significant number of users who installed it for work, study, or personal needs.
At the same time, the country began blocking calls in popular global messengers WhatsApp and Telegram, and there have been disruptions in Google Meet — factors pushing people toward the Russian messenger. Starting September 1, 2025, MAX is to be preinstalled on all new smartphones sold in Russia.
The Russian state is actively promoting MAX in an attempt to replicate the success of China's WeChat, which unifies everything from government services to e-commerce. Following the Chinese model, the Russian MAX is designed so that all information and correspondence are stored on Russian servers and are accessible to all interested state agencies and contractors, including through AI tools.
MAX does not provide end-to-end encryption, which means information exchanged via the app can become accessible to third parties at any time. The personal data aggregated in large volumes within the app could be exposed to leaks or attacks.
VK, the parent company of LLC "Communication Platform" — the developer behind the MAX messenger — has been included in the official registry of information dissemination organizers (ORIs) in Russia. Under the so-called "Yarovaya Law", all entities listed as ORIs are required to collect and store user data — including message content and documents for up to six months, and metadata for up to three years — and provide it to law enforcement agencies upon request.
The Russian state is actively promoting MAX in an attempt to replicate the success of China's WeChat, which unifies everything from government services to e-commerce. Following the Chinese model, the Russian MAX is designed so that all information and correspondence are stored on Russian servers and are accessible to all interested state agencies and contractors, including through AI tools.
MAX does not provide end-to-end encryption, which means information exchanged via the app can become accessible to third parties at any time. The personal data aggregated in large volumes within the app could be exposed to leaks or attacks.
VK, the parent company of LLC "Communication Platform" — the developer behind the MAX messenger — has been included in the official registry of information dissemination organizers (ORIs) in Russia. Under the so-called "Yarovaya Law", all entities listed as ORIs are required to collect and store user data — including message content and documents for up to six months, and metadata for up to three years — and provide it to law enforcement agencies upon request.
This has raised concerns among experts, who warn that MAX, being under the control of a state-affiliated entity, may not only comply with legal data retention and disclosure requirements, but could also potentially possess more intrusive capabilities — including covert access to user devices and real-time surveillance. While these scenarios remain unproven, they are considered technically feasible and cannot be entirely ruled out.
Hypothesis
Until now, there has not been enough data for experts to draw firm conclusions about the specific risks users face when installing the MAX super-app. The lack of empirical evidence creates room for errors and subjective interpretations.
One of the most widely circulated hypotheses online is that MAX conducts permanent surveillance by requesting excessive permissions and/or using them without authorization. In particular, opinions have spread that the app may conduct covert audio recording, take screenshots on its own, and observe activity in other apps in real time. Another popular hypothesis is that, in terms of tracking phone activity, MAX behaves similarly to WhatsApp or Telegram.
To test the hypothesis that MAX continuously surveils its users, RKS Global experts carried out a targeted assessment to understand how the app behaves once it is installed on users' phones.
One of the most widely circulated hypotheses online is that MAX conducts permanent surveillance by requesting excessive permissions and/or using them without authorization. In particular, opinions have spread that the app may conduct covert audio recording, take screenshots on its own, and observe activity in other apps in real time. Another popular hypothesis is that, in terms of tracking phone activity, MAX behaves similarly to WhatsApp or Telegram.
To test the hypothesis that MAX continuously surveils its users, RKS Global experts carried out a targeted assessment to understand how the app behaves once it is installed on users' phones.
Methodology
The tests used an iPhone and a Google Pixel. Before testing, both phones were reset to factory settings and updated to the latest OS versions. MAX was then downloaded for the first time from the App Store and Google Play.
The task was to check when and which permissions MAX requests on users' phones, how the app uses those permissions, whether it does anything without permission, and how it communicates with its servers.
Testing lasted 48 hours. On both devices, the app was initially granted access to everything it requested (camera, microphone, contacts, location, calls, files, photos, and videos). During this period, experts monitored phone activity and documented any anomalies. After two days, all previously granted permissions were revoked — monitoring then focused on whether MAX would request them again and under what conditions.
On Android, monitoring included tracking the app by package name (ru.oneme.app) or ID, observing activity via adb, using Android’s built-in tools (Permission Controller), and reviewing the adb bugreport error log.
For iPhone, the sysdiagnose file with app and system logs was analyzed using iLEAPP, and app activity was monitored via the built-in App Privacy Report.
Traffic from both devices was monitored with PiRouge.
The app was tested using a Russian IP address, geolocation, and phone number, as well as with an IP address and geolocation outside Russia.
The task was to check when and which permissions MAX requests on users' phones, how the app uses those permissions, whether it does anything without permission, and how it communicates with its servers.
Testing lasted 48 hours. On both devices, the app was initially granted access to everything it requested (camera, microphone, contacts, location, calls, files, photos, and videos). During this period, experts monitored phone activity and documented any anomalies. After two days, all previously granted permissions were revoked — monitoring then focused on whether MAX would request them again and under what conditions.
On Android, monitoring included tracking the app by package name (ru.oneme.app) or ID, observing activity via adb, using Android’s built-in tools (Permission Controller), and reviewing the adb bugreport error log.
For iPhone, the sysdiagnose file with app and system logs was analyzed using iLEAPP, and app activity was monitored via the built-in App Privacy Report.
Traffic from both devices was monitored with PiRouge.
The app was tested using a Russian IP address, geolocation, and phone number, as well as with an IP address and geolocation outside Russia.
Findings
Over the 48-hour observation period, none of the test configurations revealed improper access to the camera, location, microphone, notifications, contacts, photos, or videos. Technically, the app had the ability to collect and transmit these data, but the experts did not record any instance of this occurring.
After permissions were revoked, no attempts were recorded by the app to regain those accesses — neither through prompts nor by unauthorized means.
After permissions were revoked, no attempts were recorded by the app to regain those accesses — neither through prompts nor by unauthorized means.
The RKS-Global experts study indicates that, at present, the MAX app does not engage in default surveillance of users.
Nevertheless, monitoring should continue under varying locations and conditions. Different users in different geographic areas may experience different app behavior. It is also possible that over time the app could begin to request additional permissions or attempt unauthorized access to the device. More detailed traffic analysis and decryption are required.
Additionally, remember that any apps and websites receive IP addresses, which can indirectly indicate geolocation. In other words, any Russian apps can see the device’s approximate location; with SORM in place, this means law enforcement can obtain this information as well.
Additionally, remember that any apps and websites receive IP addresses, which can indirectly indicate geolocation. In other words, any Russian apps can see the device’s approximate location; with SORM in place, this means law enforcement can obtain this information as well.
Recommendations
RKS-Global experts remind users not to conduct confidential correspondence or send sensitive documents via the MAX messenger. Keep in mind that MAX has significant surveillance potential, as all information in it — including all chats — may be available to government bodies in real time.
At any moment, the behavior of a state-linked messenger can change: it may request more permissions or attempt to obtain them on its own, and it may transmit more information for analysis and monitoring. All further steps you take in installing and using MAX should follow from this understanding and the necessary security measures.
Experts recommend using safer alternatives whenever possible (such as Google Meet, FaceTime, Jitsi, Zoom, etc.) or restoring access to familiar calls via WhatsApp and Telegram using VPNs that are resistant to blocking.
Experts recommend using safer alternatives whenever possible (such as Google Meet, FaceTime, Jitsi, Zoom, etc.) or restoring access to familiar calls via WhatsApp and Telegram using VPNs that are resistant to blocking.