Exclusive: Russian software disguised as American finds its way into US military and CDC apps
LONDON/WASHINGTON, Nov 14 (Reuters) – Thousands of smartphone apps in online stores from Apple (AAPL.O) and Google (GOOGL.O) contain computer code developed by a technology company, Pushwoosh, which presents itself as based in the United States. , but is actually Russian, Reuters found.
The Centers for Disease Control and Prevention (CDC), the lead US agency for tackling major health threats, said it was tricked into believing Pushwoosh was based in the US capital. After learning about his Russian roots from Reuters, he removed Pushwoosh software from seven public-facing apps, citing security concerns.
The US military said it removed an app containing the Pushwoosh code in March due to the same concerns. This application was used by the soldiers of one of the main combat training bases in the country.
According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian city of Novosibirsk, where it is registered as a software company that also does data processing. It employs about 40 people and had a turnover of 143,270,000 rubles ($2.4 million) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia.
On social media and in US regulatory documents, however, it presents itself as an American company, based at various times in California, Maryland and Washington, DC, Reuters found.
Pushwoosh provides code and data processing support to software developers, enabling them to profile smartphone app users’ online activity and send tailored push notifications from Pushwoosh servers.
On its website, Pushwoosh says it does not collect sensitive information, and Reuters found no evidence that Pushwoosh mishandled user data. Russian authorities, however, forced local companies to hand over user data to national security agencies.
Pushwoosh founder Max Konev told Reuters in a September email that the company had made no attempt to hide its Russian origins. “I am proud to be Russian and I would never hide it.”
He said the company “has no connection with the Russian government of any kind” and stores its data in the United States and Germany.
Cybersecurity experts have said that storing the data abroad, however, would not prevent Russian intelligence agencies from forcing a Russian company to give up access to that data.
Russia, whose ties with the West have soured since its takeover of the Crimean peninsula in 2014 and its invasion of Ukraine this year, is a world leader in hacking and cyber espionage, spying on governments and foreign industries to seek competitive advantage, according to Western officials.
The Pushwoosh code has been installed in the apps of a wide range of international companies, influential nonprofits and government agencies, global consumer goods company Unilever Plc (ULVR.L) and the Union of European Football Associations (UEFA) to the mighty American gun. lobby, the National Rifle Association (NRA) and the British Labor Party.
Pushwoosh’s dealings with U.S. government agencies and private companies could violate contract laws and the U.S. Federal Trade Commission (FTC) or trigger penalties, 10 legal experts told Reuters. The FBI, US Treasury and FTC declined to comment.
Jessica Rich, former director of the FTC’s Consumer Protection Bureau, said “this type of case falls directly under the authority of the FTC,” which cracks down on unfair or deceptive practices affecting American consumers.
Washington could choose to impose sanctions on Pushwoosh and has broad power to do so, sanctions experts said, including possibly through a 2021 executive order that gives the United States the power to do so. possibility of targeting the Russian technology sector for malicious cyber activities.
The Pushwoosh code has been embedded in nearly 8,000 apps in the Google and Apple app stores, according to Appfigures, an app intelligence website. Pushwoosh’s website says it has over 2.3 billion devices listed in its database.
“Pushwoosh collects user data, including precise geolocation, on sensitive and government apps, which could enable invasive tracking at scale,” said Jerome Dangu, co-founder of Confiant, a usage tracking firm. misuse of data collected in online advertising supply chains.
“We found no clear signs of deceptive or malicious intent in Pushwoosh’s activity, which certainly does not diminish the risk of app data leaking to Russia,” he added.
Google said privacy was a “major concern” for the company, but did not respond to requests for comment on Pushwoosh. Apple said it takes user trust and security seriously, but also declined to answer questions.
Keir Giles, a Russia expert at London-based Chatham House think tank, said that despite international sanctions against Russia, a “substantial number” of Russian companies were still trading overseas and collecting people’s personal data. people.
Given Russia’s internal security laws, “it should come as no surprise that with or without direct ties to Russian state espionage campaigns, companies that process data will want to downplay their Russian roots,” he said. he declared.
After Reuters raised Pushwoosh’s Russian ties to the CDC, the health agency removed the code from its apps because “the company has a potential security issue,” spokeswoman Kristen Nordlund said.
“CDC believed that Pushwoosh was a company based in the Washington, DC area,” Nordlund said in a statement. The belief was based on “representations” made by the company, she said, without further details.
CDC apps containing the Pushwoosh code included the agency’s main app and others set up to share information about a wide range of health issues. One was for doctors dealing with sexually transmitted diseases. While the CDC has also used the company’s notifications for health issues such as COVID, the agency said it “does not share user data with Pushwoosh.”
The military told Reuters it removed an app containing Pushwoosh in March, citing “security concerns”. He did not say to what extent the app, which was an information portal for use at his National Training Center (NTC) in California, had been used by troops.
The NTC is a major combat training facility in the Mojave Desert for soldiers before deployment, which means a data breach there could reveal upcoming troop movements overseas.
US Army spokesman Bryce Dubee said the Army had not experienced any “operational loss of data”, adding that the app did not connect to the Army’s network.
Some large companies and organizations, including UEFA and Unilever, said third parties had set up the apps for them, or believed they were hiring a US company.
“We do not have a direct relationship with Pushwoosh,” Unilever said in a statement, adding that Pushwoosh was removed from one of its apps “some time ago.”
UEFA said his contract with Pushwoosh was “with an American company”. UEFA declined to say whether it was aware of Pushwoosh’s Russian links, but said it was reviewing its relationship with the company after being contacted by Reuters.
The NRA said its contract with the company ended last year and it was “not aware of any issues”.
Britain’s Labor Party did not respond to requests for comment.
“The data collected by Pushwoosh is similar to data that might be collected by Facebook, Google or Amazon, but the difference is that all Pushwoosh data in the United States is sent to servers controlled by a company (Pushwoosh) in Russia”, said Zach Edwards. , a security researcher, who first spotted the prevalence of Pushwoosh code while working for the nonprofit Internet Safety Labs.
Roskomnadzor, Russia’s communications regulator, did not respond to a Reuters request for comment.
FALSE ADDRESS, FALSE PROFILES
In US regulatory documents and on social media, Pushwoosh never mentions its ties to Russia. The company lists “Washington, DC” as a location on Twitter and claims its office address as a home in suburban Kensington, Maryland, according to its latest US company filings submitted to the Delaware Secretary of State. He also lists the Maryland address on his Facebook and LinkedIn profiles.
The Kensington home is the home of a Russian friend of Konev’s who spoke to a Reuters reporter on condition of anonymity. He said he had nothing to do with Pushwoosh and only agreed to allow Konev to use his address to receive mail.
Konev said Pushwoosh began using the Maryland address to “receive business correspondence” during the coronavirus pandemic.
He said he now operates Pushwoosh from Thailand, but provided no evidence that he is registered there. Reuters could not find a company with that name in the Thai Companies Registry.
Pushwoosh never mentioned he was based in Russia in eight annual filings in the US state of Delaware, where he is registered, an omission that could violate state law.
Instead, Pushwoosh listed an address in Union City, Calif., as its principal place of business from 2014 to 2016. That address does not exist, according to Union City officials.
Pushwoosh used LinkedIn accounts allegedly belonging to two Washington, DC-based executives named Mary Brown and Noah O’Shea to solicit sales. But neither Brown nor O’Shea are real people, Reuters found.
The one belonging to Brown was actually that of an Austria-based dance teacher, taken by a photographer in Moscow, who told Reuters she had no idea how it ended up on the site .
Konev acknowledged that the accounts were not authentic. He said Pushwoosh hired a marketing agency in 2018 to set them up with the aim of using social media to sell Pushwoosh, not to hide the company’s Russian origins.
LinkedIn said it deleted the accounts after being alerted by Reuters.
Reporting by James Pearson in London and Marisa Taylor in Washington Additional reporting by Chris Bing in Washington, Editing by Chris Sanders and Ross Colvin
Our standards: The Thomson Reuters Trust Principles.