MAX denies the allegations, but questions about hidden network telemetry remain.
In early March , reverse engineering results for the HOST_REACHABILITY module appeared on Habr and ntc.party . Among the intercepted messages, researchers found the GET_HOST_REACHABILITY event type, within which the client sends a detailed report to the api.oneme.ru server, including the user's IP address, connection type, mobile operator PLMN code, VPN activity flag (defined via the standard Android API NetworkCapabilities.TRANSPORT_VPN), and the results of availability checks for several hosts, including gosuslugi.ru, gstatic.com, main.telegram.org, and mmg.whatsapp.net. For each address, the client checks two parameters: ICMP ping and TCP connection to port 443.
The module is triggered when the app is minimized and reopened, and the host-reachability server flag allows for granular enabling and disabling of this check for individual accounts. The messenger transmits telemetry along with its main traffic via a proprietary protocol, making it significantly more difficult to block such requests without disabling MAX itself. According to the researchers, this system allows for the detection of VPN use based on the discrepancy between IP addresses received from Russian and foreign services, the verification of the effectiveness of blocking on the TSPU, and, in certain scenarios, the identification of private VPN server addresses.
A second story quickly emerged on top of the confirmed facts. Liberty's VPN channel on X called the st.max.ru domain a "remote control module" and linked requests to it to server-side command logic. MAX's official developer documentation, however, explicitly states that the max-web-app.js library for mini-apps is loaded from this address. A request to the domain alone does not prove the presence of a hidden command and control server, and independent researchers categorically dispute the "controlled backdoor" theory , calling Liberty's findings unprofessional and biased.
The messenger team denied the accusations. According to the company, IP address data is needed solely for call functionality, as WebRTC uses external IP addresses to establish a direct P2P route between devices, and the availability check for mtalk.google.com is related to the delivery of push notifications. Researchers, however, point out a discrepancy: the collected IP addresses appear not in the call mechanism, but in the HOST_REACHABILITY event. The official statement does not explain why the app would simultaneously access multiple HTTP IP verification services in different countries and networks.
The resonance surrounding this story isn't just due to technical details. MAX is developing VK, the service is being integrated with government services, and starting September 1, 2025, the app will be mandatory pre-installed on new smartphones and tablets in Russia. According to the company, by March 2026, over 100 million users had registered with the messenger. Therefore, any discovered network control module here immediately turns not just into a bug report for a small group of reverse engineers, but into a major public issue about trust in the messenger, which the state is promoting as a basic alternative to foreign services.
In early March , reverse engineering results for the HOST_REACHABILITY module appeared on Habr and ntc.party . Among the intercepted messages, researchers found the GET_HOST_REACHABILITY event type, within which the client sends a detailed report to the api.oneme.ru server, including the user's IP address, connection type, mobile operator PLMN code, VPN activity flag (defined via the standard Android API NetworkCapabilities.TRANSPORT_VPN), and the results of availability checks for several hosts, including gosuslugi.ru, gstatic.com, main.telegram.org, and mmg.whatsapp.net. For each address, the client checks two parameters: ICMP ping and TCP connection to port 443.
The module is triggered when the app is minimized and reopened, and the host-reachability server flag allows for granular enabling and disabling of this check for individual accounts. The messenger transmits telemetry along with its main traffic via a proprietary protocol, making it significantly more difficult to block such requests without disabling MAX itself. According to the researchers, this system allows for the detection of VPN use based on the discrepancy between IP addresses received from Russian and foreign services, the verification of the effectiveness of blocking on the TSPU, and, in certain scenarios, the identification of private VPN server addresses.
A second story quickly emerged on top of the confirmed facts. Liberty's VPN channel on X called the st.max.ru domain a "remote control module" and linked requests to it to server-side command logic. MAX's official developer documentation, however, explicitly states that the max-web-app.js library for mini-apps is loaded from this address. A request to the domain alone does not prove the presence of a hidden command and control server, and independent researchers categorically dispute the "controlled backdoor" theory , calling Liberty's findings unprofessional and biased.
The messenger team denied the accusations. According to the company, IP address data is needed solely for call functionality, as WebRTC uses external IP addresses to establish a direct P2P route between devices, and the availability check for mtalk.google.com is related to the delivery of push notifications. Researchers, however, point out a discrepancy: the collected IP addresses appear not in the call mechanism, but in the HOST_REACHABILITY event. The official statement does not explain why the app would simultaneously access multiple HTTP IP verification services in different countries and networks.
The resonance surrounding this story isn't just due to technical details. MAX is developing VK, the service is being integrated with government services, and starting September 1, 2025, the app will be mandatory pre-installed on new smartphones and tablets in Russia. According to the company, by March 2026, over 100 million users had registered with the messenger. Therefore, any discovered network control module here immediately turns not just into a bug report for a small group of reverse engineers, but into a major public issue about trust in the messenger, which the state is promoting as a basic alternative to foreign services.
