According to reporters, thousands of smartphone applications available from Apple and Google’s online shops use computer code created by Pushwoosh, a company that falsely claims to be based in the US but is actually based in Russia.
The U.S. government’s primary agency for battling significant health concerns, the Centers for Disease Control and Prevention (CDC), claimed it had been duped into thinking Pushwoosh was situated in the nation’s capital. It disabled the Pushwoosh software from seven publicly accessible apps after learning about its Russian origins from reporters and citing security reasons.
The U.S. Army claimed that due to the same worries, it had withdrawn Pushwoosh-containing software in March. At one of the largest sites for military training in the nation, soldiers were using that app.
Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software firm that also performs data processing, per company paperwork that was made publicly available in Russia and examined by reporters. It has a workforce of about 40 workers and generated $2.4 million in revenue the previous year. To pay taxes in Russia, Pushwoosh has registered with the Russian government.
However, it promotes itself as a U.S. corporation on social media and in regulatory filings, with variously stated headquarters in California, Maryland, and Washington, D.C.
Software developers can profile the online behavior of smartphone app users and send custom push alerts from Pushwoosh servers thanks to the code and data processing assistance provided by Pushwoosh.
According to Pushwoosh’s website, it does not gather sensitive data, and reporters could find no indication that the company handled customer data improperly. However, Russian authorities have coerced local businesses to provide user data to domestic security organizations.
In a September email to reporters, Pushwoosh’s creator, Max Konev, stated that the business had not made an effort to hide its Russian roots. “I would never conceal the fact that I am pleased to be Russian.”
The company, he claimed, “has no link at all with the Russian government,” and it saves its data in Germany and the United States.
However, according to cybersecurity experts, keeping data abroad would not stop Russian intelligence agencies from pressuring a Russian company to give up access to that data.
According to Western officials, Russia is a world leader in hacking and cyber-espionage, spying on foreign governments and industries to gain a competitive advantage. This is despite the fact that relations between Russia and the West, have deteriorated since its annexation of the Crimean Peninsula in 2014 and its invasion of Ukraine this year.
MASSIVE DATABASE
Many influential international corporations, non-profit organizations, and governmental organizations, including the Union of European Football Associations (UEFA), the global consumer goods company Unilever Plc., the National Rifle Association (NRA), and the British Labor Party, had Pushwoosh code installed in their apps.
Ten legal experts told reporters that Pushwoosh’s dealings with American government organizations and private businesses, would constitute a violation of contracting rules and Federal Trade Commission (FTC) regulations or perhaps result in punishment. U.S. Treasury, the FTC, and the FBI all declined to comment.
This type of case “falls right within the authority of the FTC, according to Jessica Rich, a former director of the FTC’s Bureau of Consumer Protection. The FTC pursues legal action against unfair or deceptive business practices that negatively impact American consumers.
Sanctions experts said Washington could choose to impose sanctions on Pushwoosh and has broad authority to do so, possibly through an executive order in 2021 that gives the US the power to target Russia’s technology sector due to nefarious cyber activity.
According to Appfigures, an app analytics service, approximately 8,000 apps in the Google and Apple app stores use Pushwoosh code. On its website, Pushwoosh claims to have a database with information on more than 2.3 billion devices.
Pushwoosh gathers user information from sensitive and governmental apps, including accurate geolocation, which might enable widespread invasive tracking, according to Jerome Dangu, co-founder of Confiant, a company that monitors the misuse of information gathered in online advertising supply chains.
He continued, “We haven’t discovered any obvious evidence of dishonest or criminal intent in Pushwoosh’s actions, which obviously doesn’t lessen the risk of app data leaking to Russia.
Google acknowledged that privacy was a “major emphasis” for the business but declined to comment on Pushwoosh. Apple refused to provide any information other than to say that it takes customer safety and trust seriously.
A “significant number,” according to Keir Giles, a Russia specialist at the London-based think tank Chatham House, were nonetheless conducting business abroad and gathering personal information about individuals despite the sanctions imposed on Russia.
Given Russia’s domestic security regulations, “it shouldn’t come as a surprise that enterprises that handle data will be anxious to play down their Russian background, with or without direct links to Russian official espionage campaigns,” he said.
Security concerns
The CDC deleted the code from its apps after reporters brought up Pushwoosh’s connections to Russia, citing “the company presents a possible security problem,” according to spokesman Kristen Nordlund.
According to Nordlund in a statement, “CDC believed Pushwoosh was a company based in the Washington, D.C. area.” She stated without going into further detail that the belief was founded on “representations” made by the company.
The main CDC app as well as additional ones created to offer information on a variety of health issues were among the CDC applications that incorporated Pushwoosh code. One was for medical professionals who treat STDs. Despite using Pushwoosh’s notifications for health-related issues like COVID, the CDC claimed that it “did not share user data with Pushwoosh.”
According to reporters, the Army banned a Pushwoosh-containing software in March due to “security concerns.” It did not specify the extent to which troops had utilized the app, which served as an information portal for use at its National Training Center (NTC) in California.
A data leak at the NTC, a significant battle training facility for pre-deployment soldiers in the Mojave Desert, could give away future military movements abroad.
A spokeswoman for the United States Army, Bryce Dubee, stated that there had been no “operational loss of data” for the Army and that the app had not connected to the Army network.
Some significant businesses and organizations, such as UEFA and Unilever, claimed that third parties either set up the apps for them or that they mistakenly believed they were hiring a U.S. firm.
Pushwoosh was “some time ago” removed from one of Unilever’s apps, the company claimed in a statement, adding that “we don’t have a direct relationship with Pushwoosh.”
According to UEFA, Pushwoosh’s contract was “with a U.S. firm.” After being contacted by reporters, UEFA said it was assessing its relationship with the company but would not disclose whether it was aware of Pushwoosh’s connections to Russia.
The NRA stated that it was “not aware of any difficulties” and that its contract with the company expired last year.
Inquiries for comment were not answered by the British Labor Party.
Zach Edwards, a security researcher, first noticed the prevalence of Pushwoosh code while working for Internet Safety labs, a nonprofit organization. “The data Pushwoosh collects is similar to data that could be collected by Facebook, Google, or Amazon, but the difference is that all the Pushwoosh data in the U.S. is sent to servers controlled by a company (Pushwoosh) in Russia,” he said.
Russian state communications regulator Roskomnadzor did not respond to a request for comment.
FAKE PROFILES AND ADDRESSES
Pushwoosh never refers to its ties to Russia in its filings with American regulatory bodies or on social media. According to its most recent U.S. corporate documents delivered to Delaware’s secretary of state, the company says its office address is a home in the Maryland suburb of Kensington, even though it identifies “Washington, D.C.” as its location on Twitter. Additionally, on its Facebook and LinkedIn sites, it provides the Maryland address.
A Russian acquaintance of Konev’s who spoke to a reporter under the condition of anonymity resides in the Kensington residence. He said that aside from granting Konev permission to use his address to receive mails, he had no connection to Pushwoosh.
During the coronavirus outbreak, according to Konev, Pushwoosh started using the Maryland address to “receive business letters.”
He claimed to be running Pushwoosh out of Thailand, but he offered no proof that it was registered there. In the Thai company registry, reporters were unable to locate a company with such a name.
In eight yearly filings in the American state of Delaware, where it is registered, Pushwoosh never stated that it was based in Russia, which might be against state law.
Instead, from 2014 to 2016, Pushwoosh designated Union City, California, as its primary place of business. The authorities for Union City claim that there is no such address.
Pushwoosh allegedly exploited the LinkedIn accounts of two executives from Washington, D.C., named Mary Brown and Noah O’Shea, to entice customers. However, reporters discovered that neither Brown nor O’Shea is a genuine person.
The photo that belonged to Brown was actually taken in Moscow by a photographer and was of an Austrian dance instructor; the photographer told reporters she had no idea how the photo wound up on the website.
Konev admitted that the accounts were false. He claimed that Pushwoosh hired a marketing firm to develop them in 2018 in an effort to use social media to advertise Pushwoosh rather than hide the firm’s Russian roots.
Following a notification from reporters, LinkedIn claimed to have deleted the accounts.
