Russian software infiltrates US apps: The war between Russia and Ukraine has sent tensions soaring, but a recent discovery makes things even more intense. Pushwoosh is a technology company that develops computer code seen in applications across both the Apple and Google online stores. However, while the company appears to be a US-based entity, it is actually a Russian company.
- Pushwoosh presents itself as a US company on social media and in US regulatory filings. It has shown itself based in California, Maryland, and Washington, D.C.
- It is actually a Russian software company with its headquarters in the Siberian town of Novosibirsk. There, it is registered as a software company that employs around 40 people. It is even registered to pay taxes in Russia.
CDC and US Army were deceived: The CDC believed that the company was based in the US capital. However, once it discovered that it was dealing with Russian software, it quickly removed it from seven apps due to security concerns. Similarly, the US Army removed an app used at a major combat training base containing Pushwoosh code.
What does Pushwoosh do? The company provides code and support that is used by developers to profile the activity of app users. That data is then used to send personalized notification messages from Pushwoosh servers. It is not an uncommon type of service, but it does give Pushwoosh access to a variety of data.
Is Pushwoosh providing user data to the Russian government? Perhaps the biggest question is whether the Russian software company is providing user data to the Russian government. While founder Max Konev reportedly told Reuters, who broke the story, that he was proud of his Russian heritage, he also said it had no connection with the Russian government at all.
- The Russian government is known to compel companies to hand over user data to domestic security agencies.
- Pushwoosh data is said to be stored in the United States and Germany, but that might not stop Russia from compelling the Russian software company to hand over the data.
The extent of the potential problem: Pushwoosh code is not something limited to a handful of apps used by the US Army and CDC. Instead, it is a massive database used by many companies worldwide. That includes non-profits, government agencies, and consumer goods companies.
- There are over 8,000 apps in the Apple and Google app stores containing Pushwoosh’s code. Moreover, the Russian software company says it has more than 2.3 billion devices in its database, which means it has collected an immense amount of user data. Even if it is not malicious, it is a major risk.
What data does Pushwoosh collect? To start, Pushwoosh collects geolocation data, which allows for tracking. The fact that it has been used for sensitive apps is a big deal, though location data is only one factor. The CDC apps alone gave access to information on health concerns, including sexually transmitted diseases.
- User data was not shared through every app since it was mainly used for push notifications, but a wide range of damage across all apps is to be expected.
- The US Army said that there was no “operational loss of data” and that the app did not connect directly to the Army network.
Hiding the truth: While there has been no direct evidence that Pushwoosh has done anything with the user data, it has been hiding behind fake profiles and addresses. It never mentioned its Russian connection and stated its address as a house in Kensington, Maryland. The same address was used on several social media accounts.
The house in Maryland belongs to a friend of Konev, who said the founder began using the home for business correspondence during the pandemic. It also previously listed an address in Union City, California as its place of business between 2014 and 2016, but the address does not exist.
Additionally, it was found that two of its Washington, D.C.-based executives listed on LinkedIn were not real people, supposedly being created by a marketing agency in 2018 to sell Pushwoosh on social media. Regardless of the truth, the facts do not paint the Russian software company in a trustworthy light.