Russia’s state-backed MAX messenger contains a hidden tracking module that detects when users connect through a VPN and reports their network details to servers in Russia, according to independent analysis. The MAX app VPN tracking capability was initially flagged by a researcher and subsequently confirmed by RKS Global, a digital security organization, after examining the app’s latest version.
Key Takeaways
- MAX contains a hidden module called HOST_REACHABILITY that transmits VPN detection data to Russian servers.
- RKS Global independently verified that MAX can identify VPN usage, VPN server IP addresses, user ISPs, and blocked websites.
- The company denies the allegations, claiming technical solutions are only for service quality and call reliability.
- Removing the app entirely is described as the only reliable protection for users with active VPN connections.
- Other VK-developed applications may contain similar tracking functionality, according to security researchers.
What the MAX app VPN tracking analysis found
RKS Global reported that the MAX app VPN tracking module collects and transmits specific network information every time the application opens. The hidden component, named HOST_REACHABILITY, gathers data about whether a user is connected to a VPN, identifies the VPN server’s IP address, determines the user’s internet service provider, and detects which websites or services are accessible or blocked on the network. All this information is sent to VK servers in Russia without user consent or the ability to disable the monitoring.
According to RKS Global’s analysis, the MAX app VPN tracking system operates independently of the app’s legitimate functions. The organization stated it could “fully confirm” the findings after independently analyzing the latest version of the application. This verification matters because it moves the claim beyond a single researcher’s assertion into territory where external security experts have validated the technical details.
MAX’s response and the company’s denial
MAX’s press team rejected the tracking allegations, telling TechRadar that the “technical solutions used are aimed at ensuring high-quality service operation — primarily calls and notifications”. The company further stated that these measures “have no bearing on personal data or the use of other services, including VPN.” This response frames the network monitoring as infrastructure maintenance rather than surveillance, though it does not address the specific capabilities that RKS Global documented.
The denial creates a direct contradiction with the independent analysis. MAX claims the technical solutions serve only operational purposes, yet RKS Global found that the app actively detects VPN usage and reports it to Russian infrastructure. The company’s statement does not explain why call quality or notification delivery would require identifying a user’s VPN server address or ISP details.
Mitigation steps for MAX app VPN users
RKS Global urged people using MAX on devices with active VPN connections to remove the application entirely, describing this as “the only reliable mitigation”. For users unable to delete the app, the security organization provided several alternatives, though none are guaranteed to block the tracking completely.
If full removal is not possible, RKS Global suggested configuring the VPN at the router level rather than installing it directly on the device. This approach isolates VPN traffic at the network gateway, potentially limiting what individual applications can detect about the connection. Users can also disable the VPN before opening MAX, though this temporarily removes privacy protection while using the messenger. Advanced users may block the app’s network traffic using custom DNS filtering or firewall rules. On Android devices, installing MAX in a separate, isolated workspace can restrict the app’s access to broader device network information.
Despite these workarounds, security researchers emphasize that removing the software provides the strongest protection. The alternatives create friction and require ongoing manual intervention, making them impractical for regular users who rely on VPN protection for other activities.
Broader concerns about VK-developed applications
RKS Global warned that other applications developed by VK, the Russian technology company behind MAX, may include similar tracking functionality. This warning extends the concern beyond a single messenger app to an entire ecosystem of software. Users in Russia or those running VK applications elsewhere should consider whether they trust the company’s handling of network metadata and connection information.
The allegation that MAX app VPN tracking exists within a state-backed messenger raises questions about the relationship between application developers and government surveillance infrastructure. When a company is state-backed or state-mandated, the line between corporate data collection and state monitoring becomes blurred. Users cannot assume that data sent to company servers remains private from government access.
Why this matters for privacy-conscious users
The MAX app VPN tracking discovery matters because it reveals how applications can silently detect circumvention tools without users’ knowledge. VPNs are critical privacy infrastructure for people in countries with internet restrictions, journalists, activists, and anyone seeking to protect their browsing from network-level monitoring. An app that detects VPN usage can identify which users are attempting to bypass censorship or surveillance, creating a security risk for vulnerable populations.
Unlike a transparent privacy policy that warns users about data collection, the hidden HOST_REACHABILITY module operates without disclosure. Users cannot consent to or opt out of this monitoring. The discovery also suggests that state-backed applications may prioritize government interests over user privacy, even when those interests conflict with the app’s stated purpose of providing secure communication.
Can you completely protect yourself from MAX app VPN tracking?
The most reliable protection is removing MAX from your device entirely. If deletion is not possible, router-level VPN configuration provides better isolation than device-level VPN, though it requires technical setup and does not guarantee complete protection. Using custom DNS or firewall rules can block some of MAX’s network traffic, but determined tracking may find alternate pathways.
Are other Russian apps monitoring VPN usage?
RKS Global warned that other VK-developed applications may contain similar tracking functionality, though the organization did not name specific apps or provide analysis of other software. Users should assume that state-backed applications may include network monitoring capabilities similar to what was found in MAX.
What should users do if they already use MAX?
If you currently use MAX with an active VPN connection, RKS Global recommends removing the application as the safest option. If removal is not immediately possible, disable your VPN before opening MAX and re-enable it afterward. For long-term protection, consider switching to alternative messengers that are not state-backed and have transparent privacy practices. The MAX app VPN tracking discovery underscores why users in countries with internet restrictions should carefully evaluate which applications they trust with their network information.
Edited by the All Things Geek team.
Source: TechRadar

