You already know Russia’s Max messenger spies on users. You probably don’t know just how many surveillance tools it hides, including even a neural network for eavesdropping.

It has long been known that the Russian messenger Max is an unreliable and even dangerous service that constantly spies on its users. But IT specialists continue to find new vulnerabilities and surveillance tools in the app. In mid-May, a user of the IT site Habr shared the results of his own analysis of Max for Android. He not only confirmed previously known information but also revealed previously unknown features of the app. Some of them — such as the ability to disable all encryption on a messenger conversation with a single command — are fairly alarming. Meduza explains what else has come to light about Max and how many people are now using the platform.

A user of the website Habr, going by the handle zarazaexe, published a post on May 18, 2026, laying out an array of surveillance mechanisms and other user-hostile features built into the Max messenger. The data came from reverse engineering — analyzing the finished program’s APK file. The same user had previously examined Telega — a third-party and also dangerous Telegram client.

Some of what zarazaexe found had already been documented by cybersecurity researchers. An April study by RKS Global found that Max collects a list of every app installed on a device and sends it to VK’s servers, checks for installed VPNs, and can monitor a user’s address book — and that is far from a complete inventory of trackers.

But the post also describes features that had not previously attracted attention. One is a forced-update feature that lets developers replace everything in the app with a special screen saying, “You won’t be able to write or call in this version,” and a button to update.

That button, the author notes, points to download.max.ru, meaning the update is delivered via an APK file hosted on the messenger’s own server — bypassing Google Play entirely. The mechanism makes Max resistant to blocking. If Russian authorities move to restrict access to Google’s services, or if Google restricts its own services in Russia or removes the app from the store, developers can push an updated version to all users without going through any external platform.

Whether the scheme will actually work is another question. Google plans to overhaul Android app verification rules worldwide next year. The mechanism already violates several Google Play policies at once, and under those policies Max would have to be classified as malware.

The messenger can also have TLS session validation disabled via a server command. When that happens, the connection security check stops working and the client becomes vulnerable to a MITM attack. Anyone controlling the network equipment between a user and the server — Roskomnadzor through Russia’s internet traffic filtering system (TSPU), or even a mobile carrier — could gain access to messages, files, and passwords.

The version of the app that zarazaexe examined also contained a neural network for real-time speech recognition capable of identifying a speaker by voice, recognizing specific keywords, and generating text transcripts of conversations. The recordings were stored without encryption.

Those features were removed in app version 26.16.0, released on May 14, the author notes, but the technical capability to restore them in a future Max update remains.

A user on the Pikabu website had written about the neural network as early as mid-April 2026, forcing messenger representatives to deny reports of user surveillance at the time. The Russian state news agency TASS quoted a statement from platform representatives: “Call technology in Max uses machine learning to analyze connection conditions and automatically adjust call parameters. This is how the system knows when quality drops below a critical level in order to switch the server or codec.”

The Max press office also put out a response to zarazaexe’s post, calling the information “fake” and saying “all user data is reliably protected.” The author of the post said he found the response completely unconvincing.

The number of Max users will soon exceed Russia’s entire population. It has already surpassed Telegram in average daily reach.

VK continues to highlight what it calls rapid user growth for the messenger. The company’s press office said in late March that Max had registered more than 107 million users in its first year; by early May, VK said that total had risen above 120 million.

Some press releases specify that the figure includes foreign users. The messenger has become available not only in Russia but also in 39 countries — primarily in Asia, Africa, the Middle East, and Latin America.

How close those figures are to reality is hard to say. But according to the audience measurement firm Mediascope, a growing number of Russians are in fact using the service. In April 2026, Max topped the rankings among all messengers in Russia by average daily reach for the first time — 68 million users. Telegram fell to second place at 50 million, though it still leads in monthly reach: nearly 88 million, compared to 85 million for Max.

April was the first full month since Russia began blocking Telegram. The messenger’s availability started falling sharply in mid-March and has stayed at about 10 percent since mid-April. That means users can now access Telegram only by using tools to bypass the blocks, such as a VPN or proxy.

Under those conditions, Max is slowly but steadily beginning to displace Telegram as the primary messenger for a significant portion of users. As with YouTube, the service is not completely banned, but people often cannot use it without a VPN. That has led to an inevitable decline in its audience.

Meduza has written repeatedly that people most often switch to Max against their will — not only because direct competitors are blocked, but because of constant pressure from authorities and employers, and because the messenger has steadily penetrated every sphere of daily life: from interaction with government services and education to finance, healthcare, and transportation.

Max is typically offered as a “convenient” alternative to existing services. In mid-May, all four major mobile carriers — MTS, Beeline, MegaFon, and T2 — reached an agreement with VK to send authentication and service messages through the messenger.

The option to receive such messages by SMS will remain, but judging by statements from MTS and MegaFon executives, it will gradually become a backup channel — and the carriers themselves will likely begin pushing Max as the primary delivery channel for such information.

Where the messenger has so far failed to gain ground is as Russians’ primary source of news and entertainment. By the end of April, Max had, according to official data, around 300,000 public channels, compared to more than 1.6 million on Telegram — and only five of those Max channels have more than a million subscribers, including the messenger’s own announcements channel.

Audiences for Telegram channels have been slow to move to Max, and according to rumors, since mid-April the administrators of popular channels have been going back to the blocked messenger. New channels are again being created more quickly on Telegram than on VK’s service. That has slowed the development of the advertising market, and as a result, more and more scams are being promoted on Max — a word many also use for the “national” messenger itself.