Russian Max messenger used for surveillance by the state. VK, a social networking company controlled by the Russian state through Gazprom and Sogaz, released the Max messenger on 26 March 2025, presenting it as the foundation of a planned national super-app. The Russian State Duma passed legislation on 10 June 2025 requiring all smartphones and tablets sold in Russia from 1 September to come pre-installed with Max. The same legislation links Max to a national digital ID system used for accessing public services.
Security researchers from the Telegram channel Scamshot analyzed the Android version of the app. Their static and dynamic analysis identified that Max accesses the device clipboard and retrieves a list of installed applications. This information is transmitted to external servers. The application also includes third-party libraries, including components developed in Ukraine, the United States, and Poland. This discovery contradicts earlier claims that the app was fully domestically developed.
The app’s privacy policy states that it may collect device metadata, including IP address, device ID, contact list, and timestamps. The policy allows this data to be shared with commercial partners and state or local authorities. It does not provide clear limitations on the scope or frequency of this data transfer.
Corporate records show that the company listed as the developer of Max, LLC Communication Platform, employs two individuals and does not possess security certifications issued by the Federal Security Service (FSB) or the Federal Service for Technical and Export Control (FSTEK). These certifications are typically required for software handling encryption and personal data within the Russian Federation.
VK has denied allegations of unauthorized surveillance and stated that user data is stored in Russian data centres. On 1 July 2025, the company announced a public bug-bounty program offering up to five million rubles for verified vulnerabilities in the mobile, web, or desktop versions of Max. As of mid-July, no rewards have been reported, and no critical vulnerabilities have been disclosed publicly through the program.
The Russian Ministry of Digital Development confirmed plans to integrate Max with Gosuslugi, the state portal for digital public services. According to government statements, this will allow users to access services such as document signing, tax notifications, and benefit applications directly through the messenger. Integration with the digital ID system will associate each Max account with a verified identity based on SIM registration.
According to federal law No. 374-FZ, known as the Yarovaya Law, telecommunications providers are required to store users’ communication content for six months and related metadata for up to three years. Providers must also provide decryption keys to the authorities upon request. Max, being a communications platform hosted domestically and linked to verified digital identities, falls under the scope of this regulation. This enables Russian authorities to legally access stored data without needing to compromise the system externally.
Statements by government officials in July 2025 indicated that the integration of Max with public services will be expanded. Legislative proposals have also suggested restrictions on foreign messengers operating in Russia, citing national security concerns. Previous warnings by parliament members hinted that platforms like WhatsApp could be forced to exit the Russian market if they fail to comply with local data processing laws.
In addition to clipboard access and app inventory, static code analysis by researchers also identified capabilities for background activity tracking and data synchronization on launch. These behaviors are not explicitly listed in the app’s user interface or public documentation.
No evidence of a security breach or unauthorized third-party access to user data has been published. All findings regarding Max’s data collection and handling have been based on analysis of the application itself and official policy documents. Security professionals continue to monitor for signs of misuse or unexpected behavior, but no independent audits have confirmed or disproven VK’s claims of safe data handling.
Further developments may depend on the results of the ongoing bug-bounty program, independent third-party code audits, and any new legislation related to mandatory software on consumer devices in Russia. Until then, Max remains a legally enforced platform with high-level data access mechanisms built into its design.
