Cloudflare Flags Russian Messenger Max as Spyware, Echoing Telegram Client Ban

Key facts

• Cloudflare assigned the domain of Russian state messenger Max a 'spyware' status.
• The exact time of the classification is unknown.
• Max's TLS certificate remains active despite the spyware label.
• The Max app is still available for download on Apple's App Store and Google Play.
• Cloudflare previously classified the unofficial Telegram client Telega as spyware, leading to certificate revocation and App Store removal.
• Telega's developers attributed the incident to a classification error.
• After Telega's blocking, idevice instability and lockups after iOS updates.
• Max's audience has surpassed 30 million users.

Cloudflare Labels Russian State Messenger as Spyware

Cloudflare, the global web infrastructure and security company, has classified the domain of Russia's state-backed messaging application Max as spyware, according to reports. The designation places the messenger, which is promoted as a secure alternative to Western platforms, under a cloud of suspicion that could have far-reaching consequences for its operations. The precise moment when Cloudflare assigned the spyware status to Max's domain remains unclear. However, the classification is already visible in Cloudflare's systems, potentially affecting how the domain is treated by the company's network and security tools.

TLS Certificate Still Active; Apps Remain in Stores

Despite the alarming classification, the TLS certificate for Max's domain — which verifies the authenticity of the website and encrypts data — remains active. This means that, for now, the messenger's web services continue to function without immediate disruption. Furthermore, the Max application is still available for download from both Apple's App Store and Google Play. This stands in contrast to the swift action taken against a similar Russian messaging client in the past, suggesting that Cloudflare's classification alone does not automatically trigger removal by app stores.

Echoes of the Telega Precedent

The situation is notably reminiscent of an earlier episode involving Telega, an unofficial Telegram client that was also popular in Russia. Cloudflare similarly labeled Telega as spyware, and the consequences were severe: the app's TLS certificate was revoked, and Apple removed Telega from the App Store entirely. Developers of Telega attributed the incident to a classification error, claiming that Cloudflare had mistakenly flagged their software. Nevertheless, the damage was done, and the app was effectively rendered inaccessible to many users.

iPhone Users Suffered After Telega Ban

Following the blocking of Telega, a wave of complaints emerged from itheir devices became unstable after updating iOS. According to user accounts, the smartphones would get stuck in a loading state for extended periods and then become locked. Some users linked the problem to the presence of Telega on their devices, suggesting that the app's removal may have triggered unforeseen side effects. The incident highlighted the potential collateral damage when a widely used app is suddenly pulled from app stores.

Max's Rapid Growth and Government Backing

Max, which recently rebranded its Russian name to 'МАКС' (MAKS), is a state-backed messenger developed by a subsidiary of VK, the Russian internet giant. The beta version of the service launched in March 2023, and by early April 2024, it had registered over 110 million users, with an active audience exceeding 30 million. The messenger is overseen by the 'Communication Platform' company, a VK subsidiary. Its rapid adoption has been driven by official promotion and integration into government services, positioning it as a domestic alternative to WhatsApp and Telegram.

VPN Restrictions and Uncertain Future

Recently, Max began restricting users who access the service with a VPN enabled. When attempting to send a message, users see a prompt: 'Disable VPN to use MAX.' This move aligns with Russian government efforts to control internet traffic and block unauthorized access. It remains unclear what prompted Cloudflare to assign the spyware label to Max's domain, and whether the same punitive measures applied to Telega — certificate revocation and app store removal — will follow. The company has not issued a public statement regarding the classification.

Open Questions and Potential Impact

The classification of Max as spyware by Cloudflare raises several critical questions. Will Apple and Google follow Cloudflare's lead and remove the app from their stores? Could Max's TLS certificate be revoked, disrupting its service? And if so, what would be the impact on the millions of users who rely on the messenger for daily communication? The precedent of Telega suggests that the consequences could be severe, but it also shows that such actions can be contested as errors. For now, Max remains operational, but the spyware label casts a long shadow over its future.

The bottom line

• Cloudflare has classified the domain of Russian state messenger Max as spyware, but the app remains available on app stores and its TLS certificate is still active.
• The classification mirrors a previous incident involving the Telegram client Telega, which led to certificate revocation and removal from the App Store.
• After Telega's ban, idevice instability, highlighting potential unintended consequences of such actions.
• Max has over 110 million registered users and is backed by VK, a Russian internet company, and the government.
• The messenger recently began blocking users who access it with a VPN enabled.
• It is unknown whether Cloudflare's classification will lead to further enforcement actions against Max.