Quote:In an exclusive report, Reuters found that thousands of smartphone applications in Apple and Google’s online stores contain a computer code developed by a technology company, Pushwoosh, that is identified as “American” but is Russian.

The Centers for Disease Control and Prevention (CDC), the United States’ main agency for fighting major health threats, said it had been deceived into believing Pushwoosh was based in the U.S. capital. After learning about its Russian roots from Reuters, it removed Pushwoosh software from seven public-facing apps, citing security concerns.

…According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia.

On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company, based at various times in California, Maryland and Washington, D.C., Reuters found.

Pushwoosh provides code and data processing support for software developers, enabling them to profile the online activity of smartphone app users and send tailor-made push notifications from Pushwoosh servers.

Army soldiers used an app containing the computer code at one of the country’s main combat training bases. The Army removed the app in March.

“The app in question was developed in 2016 by an individual who is no longer associated with the National Training Center (NTC) using a free version of Pushwoosh,” US Army spokesperson Bryce Dubee told The Register, adding there was no contract. “NTC reports they did not have any knowledge that Pushwoosh code was part of the app and were not aware of Pushwoosh itself or that it was a Russian-owned company.”

“As regulations and guidance have become more stringent since 2016, PM Army Mobile moved to have the app taken offline completely while conducting a routine review of authorized apps,” Dubee continued. “Additionally, regulations do not authorize the use of free software when paid software is available, and consequently, the PM Army Mobile team would have immediately disallowed/disapproved the use of free software.”

In addition to the US government agencies, consumer goods giant Unilever, the Union of European Football Associations, American gun lobby group National Rifle Association, and Britain’s Labour Party also installed Pushwoosh code in their apps, Reuters reported.

The CDC used the company’s code in at least seven public-facing apps. It recently ditched the software as well.

While the software owner denies the allegations, the paper trail followed by Reuters is suspicious. The investigation also did not provide evidence that collected data was sent to Russia.

The company’s founder, Max Konev, has disavowed suspicions, telling the outlet that Pushwoosh “has no connection with the Russian government of any kind” and that he had not tried to hide the company’s origins. “I am proud to be Russian and I would never hide this,” he said.

In its marketing materials and on its website the company also listed a number of physical addresses based in the U.S. that Reuters says aren’t actually connected to the company. Reporters traveled to one of the addresses and found that it was the residence of a friend of Konev’s; the friend told the reporters that he had “nothing to do with Pushwoosh and had only agreed to allow Konev to use his address to receive mail.” The other address, which was said to be the firm’s “principal place of business” from 2014 to 2016, was for a residence in a California Bay Area town that local officials say doesn’t actually exist.

At the same time, the company created a raft of social media profiles for U.S.-based executives that are also fictional, Reuters reports. Konev claims that the fake profiles were created by a marketing agency in 2018 to “use social media to sell Pushwoosh, not to mask the company’s Russian origins.”

From a cybersecurity perspective, the obvious concern here is that this company isn’t what it seems and that data collected by it could have been misused or shared with the Russian government. To be clear, though, Reuters reports that there isn’t any evidence that Pushwoosh did either of those things. That said, it isn’t without precedent for Russian law enforcement to force Russian companies to furnish user data to the government.