Comprehensive privacy and behavioral analysis of the MAX messenger Android application (ru.oneme.app). Sandbox analysis, user agreement review, and privacy policy assessment.
REPORT STATUS: PRELIMINARY — This report is not yet complete. YonSeSecurity plans to personally reverse-engineer the application code and examine every corner in detail to determine the full extent of its behavior.
ru.oneme.app (formerly VK/Odnoklassniki ecosystem).State-affiliated messenger with excessive permissions, aggressive data collection, root detection, clipboard monitoring, and untrusted code signers. Crashes on hardened OS environments.
MAX (formerly VK Messenger / ICQ New) is a Russian state-endorsed messenger positioned as a replacement for Telegram and WhatsApp in the Russian Federation.
Developed by OOO "MAX" (a Mail.ru / VK ecosystem entity), it is deeply integrated with Russian government information systems (GIS), including Gosuslugi (state services portal), ESIA (unified authentication), and provides "Digital ID" functionality for legal document verification. Its legal framework is built on Federal Law No. 156-FZ of June 24, 2025.
1. Root / Jailbreak Detection. The app actively probes for su binaries across 9 different paths (/system/xbin/su, /sbin/su, /data/local/su, etc.) and checks for Superuser.apk. This means the app fingerprints the security posture of your device.
2. Clipboard Monitoring. Registers a PrimaryClipChangedListener — intercepts everything you copy to the clipboard: passwords, crypto addresses, 2FA codes, bank details. Tagged as credential_access and collection by the sandbox.
3. Contact Harvesting. Reads the full contact list via content://com.android.contacts/contacts. The privacy policy confirms this data is stored on Russian Federation servers.
4. Photo Access. Reads photos via content://media/external/images/media without explicit user interaction during sandbox execution.
5. Dynamic Code Loading. Loads dropped DEX/JAR files at runtime (androidx.window.sidecar.jar), a classic defense evasion technique that allows arbitrary code execution after installation.
6. Untrusted Code Signers. The APK is signed with untrusted codesign certificates, meaning its authenticity cannot be independently verified through standard certificate chains.
7. Device Fingerprinting. Reads /proc/cpuinfo, /proc/meminfo, network operator, active network type — builds a comprehensive device fingerprint.
8. Scheduled Execution. Uses JobScheduler for persistence — tasks execute even when the app is closed.
Android 15 Emulation: MAX crashes on Android 15 emulation. On Android 11 it runs without issues. This suggests the app uses deprecated APIs or relies on behaviors that have been restricted in newer Android versions.
GrapheneOS: On the hardened GrapheneOS operating system, MAX refuses to launch without weakening the OS security profile. This is a significant red flag — legitimate apps do not require users to disable security features. This strongly suggests the app relies on behaviors that hardened security environments explicitly block (root detection bypass, unrestricted process introspection, or exploitation of standard Android trust chains).
The app communicates with the following Russian infrastructure:
api.oneme.ru — primary API (multiple RU IPs: 155.212.204.194, 155.212.204.90, 155.212.204.140, 155.212.204.150)
sdk-api.apptracer.ru — telemetry/analytics SDK (5.101.40.41) — 15+ connections in a single session
tracker-api.vk-analytics.ru — VK analytics tracking (90.156.232.26)
help.max.ru, legal.max.ru — support and legal pages
edgedl.me.gvt1.com — Google edge delivery
Additionally: chrome.cloudflare-dns.com (8 connections), update.googleapis.com, notifications-pa.googleapis.com, remoteprovisioniong.googleapis.com
If you value your privacy: Do not install MAX. Use end-to-end encrypted messengers with verifiable open-source code (Signal, etc.).
If you must use it: Run it in a work profile or separate device. Do not grant contacts, camera, microphone, or storage permissions. Be aware that everything you copy to clipboard is captured.
For organizations: MAX should be considered a potential surveillance tool. All data passing through it should be assumed to be accessible to the operator (OOO MAX) and, by extension, Russian state authorities per Federal Law No. 152-FZ.
| Property | Value |
|---|---|
| Filename | MAX_(RS)_v.26.9.1(6643)(8.0-16.0)(arm7a,arm64-8a,x86,x86-64).apk |
| Package Name | ru.oneme.app |
| Version | 26.9.1 (build 6643) |
| Min SDK / Target | Android 8.0 – 16.0 |
| Architectures | arm7a, arm64-8a, x86, x86-64 |
| File Size | 127.5 MB |
| SHA256 | 41d5342b18a8046e9b1a25c76ca33a05a91db43c02db80523bb399c76644512d |
| Sandbox | Recorded Future (Triage) |
| Sample ID | 260324-x9ck1sgv7m |
| Analysis Date | 2026-03-24 19:36 |
| Threat Level | Likely Malicious |
| Score | 8 / 10 |
The following permissions were flagged as dangerous by the sandbox static analysis. Each grants the app capabilities that go far beyond basic messaging functionality.
| Permission | Risk | What It Allows |
|---|---|---|
| SYSTEM_ALERT_WINDOW | Critical | Draw overlays on top of all apps — can be used for tapjacking, phishing, or hiding activities |
| REQUEST_INSTALL_PACKAGES | Critical | Install other APKs silently — can sideload additional software without user consent |
| CAMERA | High | Take photos and video at any time |
| RECORD_AUDIO | High | Record audio via microphone at any time |
| ACCESS_FINE_LOCATION | High | Precise GPS location tracking |
| ACCESS_COARSE_LOCATION | High | Approximate location via cell towers / Wi-Fi |
| READ_CONTACTS | High | Read all contacts on the device |
| WRITE_CONTACTS | High | Modify or add contacts on the device |
| READ_EXTERNAL_STORAGE | High | Read all files on external storage |
| WRITE_EXTERNAL_STORAGE | High | Write/modify any file on external storage |
| READ_MEDIA_IMAGES | High | Read all photos on the device |
| READ_MEDIA_VIDEO | High | Read all videos on the device |
| BLUETOOTH_CONNECT | Medium | Connect to paired Bluetooth devices |
| POST_NOTIFICATIONS | Medium | Display notifications (can be used for social engineering) |
14 dangerous permissions for a messenger app is excessive. SYSTEM_ALERT_WINDOW and REQUEST_INSTALL_PACKAGES are particularly alarming — a legitimate messaging app should not need to draw over other apps or install additional software.
The app checks 9 paths for su binaries, a clear indicator of root/jailbreak detection:
Root detection in a messaging app serves one purpose: to determine whether the user has elevated control over their own device. This information can be used to refuse service (as seen with GrapheneOS) or to adjust surveillance behavior.
The app registers android.content.IClipboard.addPrimaryClipChangedListener, allowing it to monitor every clipboard change. Categorized as credential_access, collection, and impact by the sandbox.
Loads /system_ext/framework/androidx.window.sidecar.jar at runtime. Dynamic DEX loading is a defense evasion technique (MITRE T1407) that allows the app to execute code that wasn't present at install time, bypassing static analysis.
Uses android.app.job.IJobScheduler.schedule to register background jobs that execute even when the app is not in the foreground. Tagged as execution and persistence.
Acquires android.os.IPowerManager.acquireWakeLock, preventing the device from sleeping. This allows continuous background operation for data collection.
The sandbox captured extensive crash logs and error traces stored in /data/data/ru.oneme.app/cache/tracer/crashes/. Multiple ERROR entries with stacktraces, system_info, and all_logs files were created during the analysis session, indicating unstable code. Additionally, mytracker databases (proprietary Russian analytics) and extensive apptracer network calls show aggressive telemetry collection.
1. Government Integration. MAX is legally designated as a "multifunctional information exchange service" under Federal Law No. 156-FZ (June 24, 2025) and Government Decree No. 1880-r (July 12, 2025). It integrates with ESIA (state authentication), Gosuslugi, and other GIS. This means the app functions as state infrastructure.
2. Mandatory Data Localization. All data is processed and stored on servers in the Russian Federation (Section 2.2, 3.2.1). Data is stored "for the duration required by applicable Russian law" even after account deletion.
3. Law Enforcement Access. Data is disclosed to "executive and judicial authorities" upon official request. The policy claims "minimum necessary data" is provided, but the scope is determined by Russian law, not the user.
4. Third-Party Data Sharing. Data is shared with: mobile operators, technology partners, analytics services, affiliated companies, and "Organizations" that have contracts with the Company. The consent model is "conclusive action" (clicking a button constitutes consent).
5. Contact Book Harvesting. Section 3.8 of the User Agreement explicitly states the app collects "names and phone numbers of contacts from the user's address book." This data is used to notify contacts when someone joins, map social graphs, and invite non-users.
6. Biometric Data Collection. The "Digital ID" feature requires facial recognition and fingerprint verification via the device. While the Company claims not to process biometrics directly, the GIS integration means biometric data is processed by the state operator.
7. Automated Content Scanning. Section 5.4: "The Company may use certain automatic computer systems and filters for scanning such messages" — ostensibly for spam, but the capability exists for broad content monitoring.
8. Unilateral Changes. Both the User Agreement and Privacy Policy can be changed unilaterally by the Company at any time. Continued use constitutes acceptance.
9. Reverse Engineering Prohibited. Section 4.3.6 prohibits "reverse engineering, decompilation, reverse assembly" — a clear attempt to prevent independent security audits like this one.
MAX integrates with "RNKO VK Payment Solutions" (OOO) for fast payments via SBP (Russia's instant payment system). Phone numbers of both sender and receiver are shared with the payment processor. This creates a financial metadata trail linked to phone numbers.
Mobile Matrix V16 — techniques observed during sandbox analysis.
sdk-api.apptracer.ru and tracker-api.vk-analytics.ru at your DNS/firewall to reduce telemetry exposure.MAX Messenger (ru.oneme.app) received a Likely Malicious score of 8/10 from the Recorded Future sandbox. The behavioral analysis reveals a pattern consistent with state-affiliated surveillance software disguised as a consumer messenger:
Clipboard monitoring (credential access), contact harvesting, photo access, root detection, dynamic code loading, untrusted code signing, and aggressive telemetry to Russian infrastructure — all documented by automated sandbox analysis, not speculation.
The legal framework confirms what the code reveals: MAX is deeply integrated with Russian state systems, stores all data on Russian servers under Russian jurisdiction, and provides data to law enforcement upon request. The prohibition on reverse engineering in the user agreement further suggests the developers anticipate and wish to prevent exactly this kind of analysis.
The app's refusal to run on GrapheneOS without weakening security protections, combined with its crash on Android 15 emulation, suggests reliance on behaviors that modern hardened environments explicitly restrict.
This is a preliminary report. YonSeSecurity will conduct a complete manual reverse engineering of the application's decompiled code. A follow-up report with code-level analysis, additional IOCs, and detailed findings will be published upon completion.