EXCLUSIVE Russian software disguised as American finds its way into US Army, CDC apps
LONDON/WASHINGTON, Nov 14 (Reuters) – Thousands of smartphone applications in Apple’s ( AAPL.O ) and Google’s ( GOOGL.O ) online stores contain computer code developed by a technology company, Pushwoosh, which presents itself as based in the United States but is actually Russian , Reuters has found out.
The Centers for Disease Control and Prevention (CDC), America’s main agency for combating major health threats, said it had been tricked into thinking Pushwoosh was based in the US capital. After learning of its Russian roots from Reuters, it removed Pushwoosh software from seven public apps, citing security concerns.
The US Army said it had removed an app containing Pushwoosh code in March due to the same concerns. That app was used by soldiers at one of the country’s most important combat training bases.
According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian city of Novosibirsk, where it is registered as a software company that also performs data processing. It employs about 40 people and reported revenue of 143,270,000 rubles ($2.4 million) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia.
However, on social media and in US regulatory filings it presents itself as a US company, based at various times in California, Maryland and Washington, DC, Reuters found.
Pushwoosh provides coding and data processing support for software developers, allowing them to profile the web activity of smartphone app users and send tailored push notifications from Pushwoosh servers.
On its website, Pushwoosh says it does not collect sensitive information, and Reuters found no evidence that Pushwoosh mishandled user data. However, Russian authorities have forced local companies to hand over user data to domestic security agencies.
Pushwoosh’s founder, Max Konev, told Reuters in a September email that the company had not tried to mask its Russian origins. “I am proud to be Russian and I would never hide this.”
Pushwoosh published a blog post after the Reuters article was published, which said: “Pushwoosh Inc. is a privately held C-Corp company incorporated under the laws of the state of Delaware, USA. Pushwoosh Inc. was never owned by any company registered in the Russian Federation.”
The company also said in the post, “Pushwoosh Inc. used to outsource development parts of the product to the Russian company in Novosibirsk, mentioned in the article. But in February 2022, Pushwoosh Inc. terminated the contract.”
After Pushwoosh published its post, Reuters asked Pushwoosh to provide evidence for its claims, but the news agency’s requests went unanswered.
Konev said the company “has no connection with the Russian government of any kind” and stores its data in the United States and Germany.
However, cybersecurity experts said that storing data abroad would not prevent Russian intelligence agencies from forcing a Russian firm to give up access to that data.
Russia, whose ties with the West have soured since its seizure of the Crimean peninsula in 2014 and invasion of Ukraine this year, is a global leader in hacking and cyberespionage, spying on foreign governments and industries to seek a competitive advantage, according to Western officials.
Pushwoosh code was installed in the apps of a wide range of international companies, influential nonprofits and government agencies from global consumer goods company Unilever Plc ( ULVR.L ) and the Union of European Football Associations (UEFA) to the politically powerful U.S. gun lobby, the National Rifle Association (NRA) and Britain’s Labor Party.
Pushwoosh’s dealings with US government agencies and private companies could violate contractual agreements and US Federal Trade Commission (FTC) laws or trigger sanctions, 10 legal experts told Reuters. The FBI, US Treasury and FTC declined to comment.
Jessica Rich, former director of the FTC’s Bureau of Consumer Protection, said that “these types of cases fall squarely within the authority of the FTC,” which cracks down on unfair or deceptive practices that affect American consumers.
Washington could choose to impose sanctions on Pushwoosh and has broad authority to do so, sanctions experts said, including possibly through a 2021 order giving the United States the ability to target Russia’s technology sector over malicious cyber activity.
Pushwoosh code has been embedded in nearly 8,000 apps in the Google and Apple app stores, according to Appfigures, an app intelligence website. Pushwoosh’s website says it has more than 2.3 billion devices listed in its database.
“Pushwoosh collects user data including precise geolocation, on sensitive and government apps, which can allow invasive tracking on a large scale,” said Jerome Dangu, co-founder of Confiant, a firm that tracks misuse of data collected in online advertising supply chains.
“We have found no clear signs of deceptive or malicious intent in Pushwoosh’s activity, which certainly does not reduce the risk of app data leaking to Russia,” he added.
Google said privacy was a “big focus” for the company, but did not respond to requests for comment about Pushwoosh. Apple said it takes user trust and security seriously, but similarly declined to answer questions.
Keir Giles, a Russia expert at London think tank Chatham House, said despite international sanctions against Russia, a “significant number” of Russian companies still traded abroad and collected personal data.
Given Russia’s national security laws, “it should not be a surprise that with or without direct links to Russian state espionage campaigns, firms that handle data would be keen to downplay their Russian roots,” he said.
After Reuters raised Pushwoosh’s Russian connections with the CDC, the health agency removed the code from its apps because “the company presents a potential security issue,” spokeswoman Kristen Nordlund said.
“The CDC believed Pushwoosh was a company based in the Washington, DC area,” Nordlund said in a statement. The belief was based on “representations” made by the company, she said, without elaborating.
The CDC apps that contained Pushwoosh code included the agency’s main app and others set up to share information about a wide range of health issues. One was for doctors who treat sexually transmitted diseases. While the CDC also used the company’s alerts for health issues like COVID, the agency said it “did not share user data with Pushwoosh.”
The army told Reuters it removed an app containing Pushwoosh in March, citing “security concerns”. It did not say how much the app, which was an information portal for use at the National Training Center (NTC) in California, had been used by troops.
The NTC is a major combat training center in the Mojave Desert for pre-deployment soldiers, meaning a data breach there could reveal upcoming overseas troop movements.
US Army spokesman Bryce Dubee said the Army had not suffered any “operational loss of data,” adding that the app did not connect to the Army network.
Some major companies and organisations, including UEFA and Unilever, said third parties set up the apps for them or believed they were employing a US company.
“We do not have a direct relationship with Pushwoosh,” Unilever said in a statement, adding that Pushwoosh was removed from one of its apps “some time ago.”
UEFA said the contract with Pushwoosh was “with an American company.” UEFA declined to say whether it was aware of Pushwoosh’s Russian ties, but said it was investigating its relationship with the company after being contacted by Reuters.
The NRA said its contract with the company ended last year and it was “not aware of any issues.”
Britain’s Labor Party did not respond to requests for comment.
“The data Pushwoosh collects is similar to data that might be collected by Facebook, Google or Amazon, but the difference is that all the Pushwoosh data in the United States is sent to servers controlled by a company (Pushwoosh) in Russia,” said Zach Edwards, a security researcher, who first discovered the prevalence of Pushwoosh code while working for Internet Safety Labs, a non-profit organization.
Roskomnadzor, Russia’s state communications regulator, did not respond to a Reuters request for comment.
FAKE ADDRESS, FAKE PROFILES
In US regulatory filings and on social media, Pushwoosh never mentions its Russian links. The company lists “Washington, DC” as its location on Twitter and claims its office address as a house in suburban Kensington, Maryland, according to its latest US corporate filings filed with Delaware’s Secretary of State. It also lists the Maryland address on Facebook and LinkedIn profiles.
The Kensington house is home to a Russian friend of Konev’s who spoke to a Reuters journalist on condition of anonymity. He said he had nothing to do with Pushwoosh and had only agreed to let Konev use his address to receive mail.
Konev said Pushwoosh had begun using the Maryland address to “receive business correspondence” during the coronavirus pandemic.
He said he now runs Pushwoosh from Thailand, but provided no evidence that it is registered there. Reuters could not find a company with that name in the Thai company register.
Pushwoosh never mentioned that it was Russian-based in eight annual filings in the US state of Delaware, where it is registered, an omission that could violate state law.
Instead, Pushwoosh listed an address in Union City, California as its headquarters from 2014 to 2016. That address does not exist, according to Union City officials.
Pushwoosh used LinkedIn accounts allegedly belonging to two Washington, DC-based executives named Mary Brown and Noah O’Shea to solicit sales. But neither Brown nor O’Shea are real people, Reuters found.
The one belonging to Brown was actually of an Austria-based dance teacher, taken by a photographer in Moscow, who told Reuters she had no idea how it ended up on the website.
Konev acknowledged that the accounts were not genuine. He said Pushwoosh hired a marketing agency in 2018 to set them up in an effort to use social media to sell Pushwoosh, not to mask the company’s Russian origins.
LinkedIn said it had removed the accounts after being notified by Reuters.
Reporting by James Pearson in London and Marisa Taylor in Washington Additional reporting by Chris Bing in Washington Editing by Chris Sanders and Ross Colvin
Our standards: Thomson Reuters Trust Principles.