Users of the state-approved MAX ̶s̶p̶y̶w̶e̶a̶r̶ messenger in Russia may be interested in the following article. Any that also use Tor VPN beta almost certainly will be - especially point 3 in the “Precautions” list below. What follows is a machine translation. An archive of the original article is here. I cannot verify the accuracy of anything herein, but I’ve seen the source (https://ntc.party) referred to elsewhere in other articles here on censorship in Russia e.g. this one.

Russian messenger MAX has been spotted accessing foreign IP detection services and competitors’ servers.

Users of the specialized NTC forum (available only via IPv6), dedicated to researching internet censorship and block circumvention, have discovered unusual network behavior in the Russian messenger MAX. This concerns the official APK from the official website .

The scheme was fairly straightforward: in one case, they used PCAPdroid , an app that simulates a VPN on an Android device to intercept network traffic without requiring root access, thus allowing them to monitor, analyze, and block network connections made by apps on the device. In another case, they analyzed traffic from an emulator, specifically noting that the system image in the emulator was “clean,” with no other messaging apps or additional software installed.

According to observations (PCAPdroid dumps are posted on the forum), the MAX messenger regularly pings several services simultaneously to determine the external IP address, some of which are foreign. Among the domains that surfaced during the scan, in addition to Russian services, foreign services are also visible:

• api.ipify.org

• checkip.amazonaws.com

• ifconfig.me

Using IP detection services in itself isn’t a crime—for example, it might be necessary to properly configure P2P calls via WebRTC. However, VK (the creators of Max) has long had its own STUN servers designed specifically for this purpose, and therefore there’s no need to use third-party, especially foreign, services.

Furthermore, two things raised alarm bells among forum participants. First, there were too many IP checks and too many different sources. If the goal is simply to “find an external IP,” one service is usually sufficient. When there are multiple, it looks like an attempt to double-check the result and piece together a “picture” from different perspectives. Second, the list of outgoing connections also shows MAX client requests to domains associated with Telegram and WhatsApp:

• main.telegram.org

• mmg.whatsapp.net

This already looks like a network environment check (for example, which domains are being blocked by the ISP) and whether competitors are available or blocked. For example, the mmg.whatsapp.net domain is used by WhatsApp to download media via direct links. Roskomnadzor is currently blocking this domain, and it could be conveniently used to monitor whether content from a specific URL is loading from this domain. Considering that Roskomnadzor’s blocking of “prohibited” domains often doesn’t occur immediately, but only after receiving approximately 16 KB of data from the “prohibited server,” or instead of blocking, it simply slows down.

The api.ipify.org service is hosted on Cloudflare’s network, and checkip.amazonaws.com is hosted on Amazon’s AWS cloud. Both Cloudflare and Amazon are also frequently subject to Roskomnadzor’s “16kb” and “trigger” blocking (see here and here ), and this can also be a fairly typical check.

Taking into account the above, accessing several external IP determination services in different locations can also be used to check whether the user is accessing the Internet “directly” or through a VPN/proxy (based on discrepancies between IP checks, routing, and the availability of individual resources).

For example, if a user’s VPN/proxy client has split routing configured, whereby traffic to foreign resources goes through a proxy/VPN, and traffic to Russian addresses goes directly, then similar checks, when using Russian and foreign services simultaneously, will show different IP addresses in different ASs, which will allow for fairly reliable detection of the presence of a proxy/VPN and even the identification of the proxy/VPN server’s output IP address (which, with a simple setup, almost always matches the input) and subsequently block access to it.

And let’s not forget that, since last year, Article 13.52 of the Code of Administrative Offenses of the Russian Federation (violation of the procedure for using hardware and software accessing information resources and information and telecommunications networks with restricted access on the territory of the Russian Federation) has imposed fines on VPN/proxy owners for failure to comply with the prohibition on providing access to information resources with restricted access on the territory of the Russian Federation, as well as for failure to comply with the established procedure for interaction with Roskomnadzor.

Precautions:

1. Do not use MAX;

2. If it is necessary to use it, place it on a separate “clean” and isolated device;

3. When using a VPN/proxy, configure split tunneling to separate routes not by GeoIP, but by application (especially considering that not only Max, but any domestic application can do this);

4. Use a chain of two proxy servers rather than just one; alternatively, use two IP addresses on the proxy server (one for incoming and one for outgoing connections), or, if you only have one IP address on the server, route outgoing traffic from the proxy to Cloudflare WARP.

Android’s multi-user function is also one possible solution, as different users have different VPN connections. You can use MAX in a profile that doesn’t have VPN and use apps that requires VPN in the other profile.

Yeah, it also isolates the apps themselves. That may help with the MAX app requesting permission to read the system’s app list.

Nekobox lets you do per app split tunneling, it’s useful even if you don’t have vpn, but just want to bootleg a proxy function to apps that have no native proxy

That reminds me, I do remember that for Android, apps installed in in the owner profile can see what other apps other profiles has installed, also user-installed file manager apps can access /data/app (where all users-installed apps’ installation files reside in) without any special permission. But I can’t reproduce it anymore.
So I found this Android developer blog post that says for app targetting Android 11 or later to obtain a list of installed applications, the app must ask for QUERY_ALL_PACKAGES permission:
https://medium.com/androiddevelopers/package-visibility-in-android-11-cc857f221cd9

Which I was able to confirm in app manager app App Manager.

I also tried to download Max app to have a look, but unfortunately I wasn’t able to find the Max app in Play store, and when I accessed the link to Max in Huawei AppGallery it just says “the app doesn’t exist” (region-locked?), so I have to download a copy of the apk from Uptodown which I have no idea if it’s genuine or not. In that apk’s AndroidManifest.xml I cannot locate it requesting QUERY_ALL_PACKAGES, and the app is targetting SDK version 35 (Android 15) so… it can’t access the list of apps installed on your phone?

Hmm, maybe the app doesn’t even request that API, yes, sorry. It’s just that a lot of banking apps and such request such a permission and I expected the same from this app.

You can install it using Aurora Store. (It doesn’t require logging in with a Google account, so you find it using this Google Play link there (by allowing it to open links in the app), download it, as if you’re gonna install it, then when it downloads and requests you to install it, you click “Cancel”, then in the “Downloads” section of Aurora Store you can click+hold on the app and click “Save app bundle”)

Oh, there’s absolutely no reason to be sorry. I’m also a bit cautious because I know some other apps surveilled users with permissions like this, so I used apktool to tore the apk down and have a look at the manifest.
Also it’s still too early to have definitive answers. The version I downloaded from Uptodown indeed doesn’t request a list of apps installed on the device, but a later update could change that. Though Google mentioned that Google Play would manually vet apps that require this permission, so theoretically apps that don’t need this permission (like this one) shall be rejected, but it also won’t surprise me if Google decide to cozy up to repressive regimes, again. sigh
There’s also the problem of apps distributed via Huawei AppGallery, which may or may not be different from the apps distributed via Google Play Store. AppGallery could have different rules regarding special permissions for published apps, and Huawei, being a company that is even more amoral than Google, would probably be more than happy to offer convenience even if they have similar rules regarding permissions like QUERY_ALL_PACKAGES.

Aurora store already offers a way to manually download app in the app detail interface afaik

ツ

Exactly my reasoning!

They sure did, but now it’s harder in my experience. It’ll work through the method I mentioned above.

The apk I downloaded from Uptodown was genuine, it has the same signature as the app I downloaded from Play Store. It also requested no QUERY_ALL_PACKAGES permission, at present.

Also I was reminded that it’s pretty common for proxy applications to open a local Socks/HTTP proxy port, and a locally installed application can possibly probe through all ports opened by other applications. And multiple profiles (multiuser/work profile) doesn’t mitigate that… So maybe the only way to make sure that MAX messenger is to install it on another device?

If that’s the case, can’t you also install it in a VM like Android Studio?