Russia’s Controversial Move to Require Pre-installed Max Messaging App Raises Privacy Concerns

In a concerning development for digital privacy rights, Russia announced last week that all new phones and tablets sold within its borders must come pre-installed with a messaging app called Max, beginning September 1. This app, developed by Russian social media giant VK, has been flagged as a significant privacy risk by security experts who conducted technical analyses of the software. Despite Russia’s interior ministry claiming that Max offers superior security compared to competing messaging platforms, independent cybersecurity researchers have discovered alarming privacy issues within the application’s code, revealing what appears to be a sophisticated surveillance tool rather than a secure messaging service.

According to a detailed analysis conducted using the phone forensics tool Corellium, Max engages in “excessive tracking” of user activity. The cybersecurity researcher who performed this analysis (requesting anonymity due to concerns about potential reprisals from Russian intelligence agencies) described unprecedented levels of data collection, stating, “This app just gathers all the data and logs it. I don’t remember seeing that in any messenger app.” The researcher emphatically concluded that “Max is not secure at all,” noting a conspicuous absence of proper cryptography. Most concerning was their assessment that the app appears “insecure by design to serve its purpose: people surveillance.” This fundamental design philosophy stands in stark contrast to other popular messaging platforms that prioritize user privacy and data security.

While Max superficially resembles popular messaging services like Telegram and WhatsApp, offering similar communication functions alongside additional features such as an AI chatbot called GigaChat 2.0 and capabilities for booking travel and making bank transfers, its underlying architecture tells a different story. Launched in March and currently limited to Russian and Belarusian phone numbers, the app’s code is largely based on TamTam, an older messenger developed by VK. Patrick Wardle, former NSA analyst and CEO of Apple-focused security firm DoubleYou, confirmed the analysis findings and highlighted particularly troubling elements in Max’s code that indicate built-in, high-accuracy background location tracking. Wardle summarized the implications bluntly: “Real time location and access to communications of its citizens—what more could an authoritarian government want?”

The connections between VK and the Russian government raise additional red flags about Max’s true purpose. VK, best known as the creator of Russia’s largest social network VKontakte, is effectively under state control; since 2021, it has been majority-owned by several Russian businesses, including state-run enterprises Gazprom and Rostec. The company’s CEO, Vladimir Kiriyenko, is the son of Sergei Kiriyenko, who serves as President Putin’s chief of staff—a relationship that further blurs the line between the private company and government interests. With VK recently reporting revenue of 72.6 billion Russian rubles (approximately $902 million), the company has both the resources and apparent political backing to implement sophisticated surveillance technologies. When asked to comment on the security concerns, VK had not responded at the time the analysis was published.

Russia’s mandate extends beyond just Max, reflecting a broader pattern of digital control. Starting September 1, Russia’s domestic app store, RuStore, will also be pre-installed on all Apple devices sold in the country—a requirement already in place for Android systems. Even more concerning for privacy advocates, the government isn’t limiting its reach to mobile devices. Beginning January 1 next year, Russia will require the installation of Lime HD TV, an application for watching state-controlled television channels, on all smart TVs sold in the country. These measures appear to be part of Russia’s expanding efforts to gain greater control over its domestic internet infrastructure and to manage the narrative surrounding its ongoing war in Ukraine.

Security experts uniformly advise against using the Max application under any circumstances. A Russian researcher, who also requested anonymity for safety reasons, described the app as “just one huge vulnerability” and strongly cautioned against its use in any capacity. This consensus among cybersecurity professionals paints a troubling picture of Russia’s digital future—one where citizens’ private communications and physical movements may be continuously monitored through everyday technology. As Russia continues to implement these digital control measures, the line between communication tools and surveillance infrastructure grows increasingly blurred, raising serious questions about privacy rights in the digital age and highlighting the challenges faced by citizens living under technologically-enabled authoritarian governance.