Analysis of the Android client of the messenger Max has raised serious questions in the information security community. Reverse engineering and traffic inspection showed that the app not only determines the user’s external IP address, but also detects VPN usage and tests connectivity to Telegram and WhatsApp infrastructure. While Max states these mechanisms exist solely for technical reasons, the collected data has clear privacy and profiling implications.
Network traffic analysis: external IP lookup and probes to Telegram and WhatsApp
Security enthusiasts first noticed unusual network behavior while monitoring the official Max APK with tools such as PCAPdroid in an Android emulator. The client regularly contacted external IP detection services, including foreign endpoints like api.ipify.org, checkip.amazonaws.com, ifconfig.me, as well as Russian services such as ip.mail.ru and several Yandex resources.
Traffic captures also revealed connections to main.telegram.org and mmg.whatsapp.net. The latter is used by WhatsApp for multimedia delivery and is reportedly blocked by Russian regulators. For a third‑party messenger, actively probing Telegram and WhatsApp hosts is atypical behavior and naturally attracted the attention of cybersecurity specialists.
Reverse engineering: GET_HOST_REACHABILITY event and detailed telemetry
A deeper technical review, based on decrypted traffic via mitmproxy in WireGuard mode, exposed a proprietary binary protocol built on MessagePack. Within this protocol, researchers identified a specific event type named GET_HOST_REACHABILITY.
When this event is triggered, the Max client sends a structured report to api.oneme.ru containing:
- the user’s external IP address;
- connection type (Wi‑Fi or cellular network);
- PLMN code (the mobile network identifier that ties the user to a particular operator and country);
- a VPN usage flag determined via the standard Android API NetworkCapabilities.TRANSPORT_VPN;
- results of reachability checks for specific hosts, including gosuslugi.ru, gstatic.com, main.telegram.org and mmg.whatsapp.net.
For each host, the client performs two tests: an ICMP ping and an attempted TCP connection to port 443, the standard HTTPS port. This combination reveals not only basic network availability but also application‑level blocking or filtering, for example when ping succeeds but HTTPS traffic is silently dropped.
Hard‑coded hosts, remote activation and indirect VPN detection
Decompilation with JADX showed that the list of tested hosts and IP‑lookup URLs is hard‑coded in dedicated classes. The external IP is queried asynchronously from a shuffled mix foreign services, and responses like 127.0.0.1 are explicitly ignored as invalid.
The telemetry module appears to be activated when the app is minimized or brought back to the foreground. In addition, a server‑side flag called host-reachability can remotely enable or disable these checks, which in practice allows selective activation of extended telemetry for specific accounts or regions. Because this data is embedded in the messenger’s own protocol and mixed with normal messaging traffic, selectively blocking telemetry without blocking Max altogether becomes technically difficult.
From a security perspective, combining IP lookups from multiple jurisdictions with a VPN flag and host reachability results can indirectly reveal VPN usage patterns. For example, discrepancies between foreign IP‑detection services, together with failed access to domestic resources but successful access to foreign ones, may indicate tunneling or the use of private VPN servers.
Max’s official position: service quality, not user tracking?
In public comments, Max representatives state that these mechanisms are used exclusively to ensure reliable service operation, especially VoIP calls, video calls and push notifications. According to the company, external IP information is required to optimize WebRTC peer‑to‑peer connections, while checks against Google and Apple servers validate push delivery. Max also claims that requests to Telegram and WhatsApp servers are not actually sent in production.
The company emphasizes that the implemented solutions, in its view, “have nothing to do with personal data or the use of other services, including VPNs”. However, no detailed public documentation has been provided on what telemetry is stored, for how long, in what form, and under which technical and organizational safeguards. For privacy assessments, these aspects are as important as the protocol itself.
Privacy risks and security recommendations for Android messenger users
Even when labeled as “service telemetry”, a dataset that includes external IP addresses, VPN status, mobile operator identifiers and availability of specific services can be used to build a highly accurate picture of a user’s network behavior over time. Numerous studies in the privacy community have shown that persistent metadata often enables profiling, even when message content remains encrypted.
Users who prioritize privacy and secure communications should consider several practical steps:
- Monitor app network activity using local firewalls or traffic monitoring tools to detect unexpected external connections.
- Use VPN services that support per‑app tunneling and strong protection against DNS and IP leaks, so that messenger telemetry cannot easily bypass the tunnel.
- Prefer messengers with open source clients and independently audited protocols, where telemetry behavior can be verified by third parties.
- Keep Android and all communication apps up to date to benefit from the latest security and privacy fixes.
The Max Android case illustrates how crucial it is to scrutinize network telemetry in messaging apps, especially in jurisdictions with extensive traffic filtering and surveillance capabilities. Transparent technical documentation, independent security reviews, and a willingness by vendors to engage with the security community are key prerequisites for trust. Users, in turn, should treat the choice of messenger and VPN not as a matter of convenience alone, but as a strategic decision that directly affects their privacy and overall digital security.
