In a significant move aimed at enhancing its digital surveillance capabilities, Russia has mandated that all new smartphones and tablets sold within its borders come pre-installed with a messaging application known as Max. Developed by VK, a prominent Russian social media entity, the app has drawn scrutiny from security experts who label it a potential privacy catastrophe.
Despite the Russian interior ministry’s assertions that Max offers superior security compared to rival applications, cybersecurity analysts have uncovered alarming details regarding its functionality. A researcher, utilizing the phone forensics tool Corellium, conducted a thorough examination of Max’s software and reported that it engages in “excessive tracking” of user activities. Preferring to remain anonymous due to concerns over potential repercussions from Russian intelligence, the researcher stated, “This app just gathers all the data and logs it. I don’t remember seeing that in any messenger app. Max is not secure at all. There is no cryptography, unless it’s hidden very well, but I doubt that. It is insecure by design to serve its purpose: people surveillance.”
Launched in March, Max currently caters to users with Russian and Belarussian phone numbers. While it operates similarly to popular messaging platforms like Telegram and WhatsApp, it also features an AI chatbot named GigaChat 2.0, along with functionalities for travel bookings and bank transfers.
“Real-time location and access to communications of its citizens—what more could an authoritarian government want?”
Further analysis revealed that Max requests permissions to access standard device features such as the camera and microphone. The code underlying the app appears to be largely derived from TamTam, an earlier messaging service created by VK.
Patrick Wardle, a former NSA analyst and current CEO of the security firm DoubleYou, corroborated the findings of the initial analysis. He highlighted that Max’s architecture includes high-accuracy background location tracking capabilities, raising concerns about its implications for user privacy. “Real-time location and access to communications of its citizens—what more could an authoritarian government want?” he remarked.
Another Russian researcher, who also opted for anonymity, advised against using Max, describing it as “just one huge vulnerability.” At the time of publication, VK had not responded to inquiries regarding the app. The company, known for creating VKontakte, Russia’s largest social network, is now predominantly state-controlled, with majority ownership held by various Russian enterprises, including state-run Gazprom and Rostec. VK’s CEO, Vladimir Kiriyenko, is the son of Sergei Kiriyenko, who serves as chief of staff to President Putin. Recently, VK reported a revenue of 72.6 billion Russian rubles, equivalent to approximately 2 million.
Starting September 1, the requirement for Max to be pre-installed on all “gadgets,” including mobile phones and tablets sold in Russia, will take effect. Additionally, Russia’s domestic app store, RuStore, will be pre-installed on all Apple devices from the same date, while it is already a standard feature on Android systems.
As part of its broader strategy to exert tighter control over the domestic internet and shape the narrative surrounding its ongoing conflict in Ukraine, Russia is not limiting its efforts to mobile devices. The government is also set to enforce the installation of Lime HD TV, an application for accessing state-controlled channels, on all smart televisions beginning January 1 of the following year.
