Many mobile apps in the Apple store and Google Play store carry programs code developed by the Russian technology company, Pushwoosh, representing itself as a USA-based company but it was actually Russian, according to the reports found by Reuters.
The US head agency for fighting major health threats Disease Control and Prevention (CDC) said it had been misled into believing that the company Pushwoosh was based in the U.S. capital but after learning its roots and connection from Reuters, the agency removed software Pushwoosh from seven public facing applications which open up security concerns.
In March, the U.S army removed an app for the same reason which also includes code from Pushwoosh company. That particular app was used by soldiers which were the training bases of the country’s main combat.
According to a publicly filed document in Russia which was reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that carries out data processing. It employs around 40 people and reported a revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh has signed up with the Russian government to pay taxes in Russia.
Reuters found that on social media and in U.S. regulatory filings, it presented itself as a U.S. company, based at various times in California, Maryland, and Washington, D.C.
The entrance of the National Training Centre, a U.S. military training area located in the Mojave Desert in Fort Irwin, California, U.S.,—REUTERS
Pushwoosh supplies code and data processing support for software developers. It enables them to profile the online movement of smartphone app users and send push notifications from Pushwoosh servers.
The website said it does not collect any sensitive data or information. Reuters didn’t find any evidence of Pushwoosh mishandling the data of users. However, Russian authorities have forced domestic companies to hand over user data to security agencies in their country.
In September, Max Konev, who is the founder of Pushwoosh, told Reuters in an email that the company had not attempted to mask its Russian origins. “I am proud to be Russian and I would never hide this.”
He further added that the company “has no connection with the Russian government of any kind” and stores its data in the United States and Germany.
Cybersecurity professionals said storing data overseas would not prevent Russian intelligence agencies from compelling a Russian firm to cede admission to that data.
Pushwoosh code was installed in the apps of a wide array of multinational companies, non-profits, and government agencies from global consumer goods companies like Unilever Plc and the Union of European Football Associations (UEFA) to the politically strong U.S. gun lobby, the National Rifle Association (NRA), and Britain’s Labour Party.
After Reuters put forward Pushwoosh’s Russian links with the CDC, the health agency withdrew the code from its apps because “the company presents a potential security concern,” spokesperson Kristen Nordlund said.
“CDC believed Pushwoosh was a company based in the Washington, D.C. area,” Nordlund said in a statement. The belief was based on “representations” made by the company, she said, without elaborating.
FAKE ADDRESS, FAKE PROFILE
In US regulatory filings and on social media, Pushwoosh never cited its Russian links. The company listed itself as “Washington, D.C.” as the location on Twitter and asserted its office address as a house in Kensington, Maryland. It also listed the Maryland address on its Facebook and LinkedIn profiles.