Threat Insight
Russia Rolls Out Surveillance Through State-Backed “Super App” MAX
MAX is a Russian state-backed “super app” developed by VK and promoted by Russian authorities as a domestic alternative to Western messaging platforms. It combines messaging with additional services such as payments, digital identity, and access to government services, placing it within Russia’s legal and surveillance environment.
MAX is being aggressively promoted to Russian citizens as part of Russia’s wider digital sovereignty strategy, which aims to reduce reliance on Western technology platforms and shift communications, payments, identity, and government services into a domestic ecosystem governed by Russian jurisdiction [2]. The app actively checks for the use of a VPN connection, something that is illegal in Russia.
While no additional overt spying functionality has yet been observed, the application’s broad permission set provides the technical foundation for a potential surveillance platform, the app lacks end-to-end encryption, which means that traffic can be read by Russia’s SORM surveillance framework, meaning that data transmitted through MAX servers should be assumed accessible to Russian security services. [1] [3] [4]
Assessment
The Max app is just one of many tools for surveillance used by the Russian government. Truesec assesses that it is currently not possible to use computers or mobile devices inside Russia in a safe way that excludes potential surveillance.
Truesec recommends all organizations to avoid traveling to Russia as much as possible and not allow devices that has been physically located in Russia to connect to the organization’s environment.
For organizations that need to have a presence in Russia due to business-critical reasons, our recommendation is to segment any presence in Russia from the rest of the network and if possible, only use burner phones and similar devices for business travel in Russia that do not have access to the organization’s network.
If you or your organization have concerns about the topic above or need support when operating abroad, please reach out to your Truesec contact for further assistance.
References
[1] https://www.forbes.com/sites/thomasbrewster/2025/08/26/kremlin-whatsapp-rival-is-designed-to-spy-on-users/
[2] https://www.france24.com/en/live-news/20260323-russia-s-max-the-unencrypted-super-app-being-forced-on-citizens
[3] https://rks.global/en/research/max/
[4] https://sovereignsky.no/laws/sorm/
Stay ahead with cyber insights
Newsletter
Stay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news directly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and exclusive updates from Truesec.
Your current browser privacy settings may be preventing this form from loading properly. To continue, please allow cookies/tracking for this site or temporarily disable strict privacy protection, then refresh the page.
If you’re still experiencing issues, please contact us at hello@truesec.com
Latest Insights
FortiNet SSO Vulnerability CVE-2025-59718 and CVE-2025-59719 Leading to Full System Compromise
Critical Vulnerabilities in Ivanti Sentry Allows Code Execution as Root (CVE-2026-10520 & CVE-2026-10523)
