Pushwoosh: Russian software impersonating Americans found in US military and CDC apps

Thousands of smartphone applications on Apple’s AAPL.O and Google’s GOOGL.O online stores contain computer code developed by technology company Pushwoosh.

The U.S. Centers for Disease Control and Prevention (CDC), the nation’s primary agency for combating major health threats, said it was led to believe Pushwoosh was based in the U.S. capital. After learning from Reuters that it has Russian roots, he removed the Pushwoosh software from his seven public apps, citing security concerns.

The U.S. Army said it removed an app containing Pushwoosh code in March over the same concerns. The app was used by a soldier at his one of the country’s major combat training bases.

According to company documents filed publicly in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk and registered as a software company that also processes data. With about 40 employees, last year he earned 143.27 million rubles ($2.4 million) in revenue. Pushwoosh is registered with the Russian government to pay taxes in Russia.

However, in social media and US regulatory filings, Reuters found that it has established itself as a US company with multiple locations in California, Maryland and Washington, DC.

Pushwoosh provides software developers with code and data processing support to profile smartphone app users’ online activities and to send customized push notifications from Pushwoosh servers.

Pushwoosh says on its website that it does not collect sensitive information, and Reuters found no evidence that Pushwoosh mishandled user data. However, Russian authorities are forcing domestic companies to hand over user data to domestic security agencies.

Pushwoosh founder Max Konev said in an email to Reuters in September that the company was making no attempt to hide its Russian origins. “I am proud to be Russian and I will never hide this.”

After the Reuters article was published, Pushwoosh published the following blog post: Pushwoosh Inc. was not owned by any company registered in the Russian Federation. ”

The company also said in the post: However, in February 2022, Pushwoosh Inc. terminated the contract.

After Pushwoosh published the post, Reuters asked Pushwoosh to provide evidence for its claims, but the news agency’s request was not answered.

Konev said the company is “not affiliated with the Russian government of any kind” and stores data in the United States and Germany.

However, cybersecurity experts say storing data abroad won’t prevent Russian intelligence from forcing Russian companies to cede access to that data.

Russia, whose relations with the West have deteriorated since its occupation of Crimea in 2014 and its invasion of Ukraine earlier this year, is a global leader in hacking and cyber espionage, seeking a competitive advantage by targeting foreign governments and spying on industry. Western official.

Pushwoosh’s code has been used by a wide range of international companies and influential nonprofits, from global consumer goods company Unilever Plc ULVR.L and the Union of European Football Associations (UEFA) to the politically powerful US gun lobby. , was installed in a government agency app. The National Rifle Association (NRA) and the British Labor Party.

Pushwoosh’s dealings with U.S. government agencies and private companies could violate contracts and U.S. Federal Trade Commission (FTC) laws and could trigger sanctions, 10 legal experts told Reuters. Told. The FBI, US Treasury Department and FTC declined to comment.

Jessica Rich, former director of the FTC’s Office of Consumer Protection, said that “these types of cases fall within the FTC’s mandate,” and that the FTC is seeking unfair or deceptive policies that affect U.S. consumers. Cracked down on practices.

Washington could choose to impose sanctions on PushWush, and sanctions experts say, perhaps through a 2021 executive order, that it would give the U.S. the ability to target Russia’s tech sector with malicious cyber activity. He said he had broad powers to do so, including

trendy now

• Donald Trump announces third presidential run despite falling Republican support

• 22 Los Angeles County sheriff recruits hit by car while on the run, officials say

According to app intelligence website Appfigures, Pushwoosh code is embedded in about 8,000 apps in the Google and Apple app stores. Pushwoosh has more than 2.3 billion devices in its database, according to his website.

Jerome Dangu, co-founder of Confiant, a company that tracks misuse of data collected in the online advertising supply chain, said:

“We found no clear signs of deception or maliciousness in Pushwoosh’s activities. This certainly does not reduce the risk of app data being leaked to Russia,” he added. .

Google said privacy is a “big focus” for the company, but didn’t respond to a request for comment about Pushwoosh. Apple said it takes user trust and safety seriously, but declined to answer questions as well.

Keir Giles, a Russia expert at London think tank Chatham House, said despite international sanctions against Russia, a “significant number” of Russian companies are still doing business abroad, and people’s personal data said to be collecting.

Given Russia’s internal security law, “it is not surprising that companies working with data, whether directly related to Russian state espionage or not, are keen to downplay their Russian roots.” he said.

After Reuters raised Pushwoosh’s ties to Russia and the CDC, the health agency removed the code from the app because of “potential security concerns for the company,” spokeswoman Kristen Nordlund said. .

“The CDC believed Pushwoosh to be a Washington, DC area-based company,” Nordlund said in a statement. Her belief was based on “representations” made by the company, she said, but she did not elaborate.

CDC apps containing Pushwoosh codes included the agency’s main app and other apps set up to share information about various health issues. One was for doctors treating sexually transmitted diseases. The CDC also used the company’s notice for his COVID and other health issues, but the agency said, “User data he does not share with Pushwoosh.”

The Army told Reuters it removed the app, including Pushwoosh, in March, citing “security concerns.” It’s unclear how widely the app, an information portal for use at California’s National Training Center (NTC), is being used by the military.

The NTC is the primary combat training center in the Mojave Desert for pre-deployment soldiers. In other words, a data breach at the NTC could reveal future movements of overseas forces.

U.S. Army spokesperson Bryce Duby said the Army had not suffered “operational data loss,” adding that the app did not connect to the Army’s network.

Some large companies and organizations, such as UEFA and Unilever, said they thought a third party set up the app or hired a US company.

“We have no direct relationship with Pushwoosh,” Unilever said in a statement, adding that Pushwoosh was removed from one of its apps “some time ago.”

UEFA said the deal with Pushwoosh was a deal “with a US company”. UEFA did not say whether it was aware of Pushwush’s ties to Russia, but said it was reviewing its relationship with the company after being contacted by Reuters.

The NRA said its contract with the company ended last year and “is not aware of any issues.”

The UK Labor Party did not respond to a request for comment.

“The data Pushwoosh collects is similar to what Facebook, Google, or Amazon can collect, but the difference is that all Pushwoosh data in the United States is sent to servers controlled by a Russian company (Pushwoosh). to be done,” said Zach Edwards. He is a security researcher and first discovered the prevalence of Pushwoosh code when he worked at Internet Safety Labs, a non-profit organization.

Russia’s state telecommunications regulator, Roscomnadzor, did not respond to Reuters’ requests for comment.

In its US regulatory filings and social media, Pushwoosh has made no mention of any ties to Russia. According to the latest U.S. corporate filings filed with the Delaware secretary of state, the company lists “Washington, DC” as its location on Twitter and claims its office address is a house outside Kensington, Maryland. We also have a Maryland address on our Facebook and LinkedIn profiles.

The Kensington home is the home of Konev’s Russian friend, who told Reuters journalists on condition of anonymity. He said he had nothing to do with Pushwoosh and that Konev only agreed to use his address to receive emails.

Korneff said PushWush began using a Maryland address to “receive business correspondence” during the coronavirus pandemic.

He said he currently operates Pushwoosh in Thailand, but did not provide evidence that it is registered there. Reuters was unable to find a company with that name in the Thai company registry.

Pushwoosh never mentions that it is based in Russia in eight annual filings in the U.S. state of Delaware, where the company is registered, which could violate state law.

Instead, Pushwoosh cited its Union City, California address as its primary place of business from 2014 to 2016. That address does not exist, according to Union City officials.

Pushwoosh used LinkedIn accounts allegedly owned by two Washington, DC-based executives named Mary Brown and Noah O’Shea to solicit the sale. However, Reuters has discovered that neither Brown nor O’Shea are real people.

The one in Braun’s possession actually belonged to an Austrian-based dance teacher and was taken by a Moscow photographer, who told Reuters how the photos were published on the site. He said he didn’t know if it was done.

Konev has confirmed that the account is not real. According to him, Pushwoosh hired a marketing agency in 2018 and used social media to try and sell Pushwoosh, not to hide the company’s Russian origins.

LinkedIn said it had removed the account after receiving a warning from Reuters.

— Reported by James Pearson, London and Marisa Taylor, Washington.Additional reporting by Chris Bing in Washington