Russian code found in CDC and US Army apps, according to new report
A new Reuters report claims that a Siberia-based company, Pushwoosh, misled clients about being based in the US.
The app software company, Pushwoosh, boasts an impressive roster of clients including the Center for Disease Control (CDC), the UK’s Labour Party, as well as the US Army. It’s offered coding and data processing support for over 8,000 apps, a venture that subsequently allowed them to profile countless users’ activity according to the access granted them—although its official privacy policy states that it doesn’t not collect or store any sensitive information. However, Pushwoosh—with a $2.4 million revenue stream—doesn’t appear to be based in Washington, DC, per previous claims—or California, or Maryland, for that matter. In actuality, official documents point towards Pushwoosh being located in the Russian city of Novosibirsk in Siberia.
The knowledge comes per an exclusive report from Reuters yesterday, which lays out how Pushwoosh’s activities are raising concerns for the company’s often high profile customers overseeing troves of sensitive user information. Reuters does not claim that a breach of privacy has taken place, but does point to the Russian intelligence agencies’ far-reaching authority and previous orders to companies to share their data with the government. “I am proud to be Russian and I would never hide this,” Pushwoosh’s founder, Max Konev, wrote Reuters via email, adding that the company “has no connection with the Russian government of any kind.”
[Related: Egypt’s official COP27 app may be greenwashed spyware.]
According to Reuters, a deep dive into Pushwoosh’s online paper trail turned up a host of suspicious activity. The company listed multiple physical addresses across the nation, one of which was simply a Maryland home owned by Konev’s friend and one California address that doesn’t exist according to city officials. There were also omissions of Russian relations in at least five annual financial filings and at least two associated LinkedIn profiles that do not belong to real people. Konev claims the two accounts were created in 2018 by a marketing company he hired to boost social media sales, not to hide the company country of origin.
Although the investigation does not indicate Pushwoosh has actively engaged in malicious surveillance, its misleading stateside addresses and potential susceptibility to leaks or hacking could be in violation of US Federal Trade Commission (FTC) laws, or be cause enough to trigger sanctions. Both the US Army and the CDC stated they have removed Pushwoosh software from their apps, although that likely affects only a fraction of the company’s 2.3 billion devices it claims are in its databases. Pushwoosh’s clients also include the National Rifle Association and the Union of European Football Associations, per Reuters‘ report. Google and Apple have yet to comment on the situation, apart from claims that users’ security and privacy are a “huge focus” of their operations.
