Exclusive: Russian software disguised as an American makes its way into the US Army’s CDC apps

LONDON / WASHINGTON, Nov 14 (Reuters) – Thousands of smartphone apps in Apple (AAPL.O) and Google (GOOGL.O) online stores contain computer code developed by a tech company, Pushwoosh, which presents itself as headquartered in the United States, but is actually Russian, Reuters found.

The Centers for Disease Control and Prevention (CDC), the leading US agency for combating major health threats, said it was duped into believing Pushwoosh was based in the US capital. After learning of its Russian roots from Reuters, it removed Pushwoosh software from seven public apps, citing security concerns.

The US military said it removed an app containing the Pushwoosh code in March due to the same concerns. That app was used by soldiers at one of the country’s leading combat training bases.

According to corporate documents filed publicly in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian city of Novosibirsk, where it is registered as a software company that also deals with data processing. It employs about 40 people and last year recorded a turnover of 143,270,000 rubles ($ 2.4 million). Pushwoosh is registered with the Russian government to pay taxes in Russia.

On social media and in U.S. regulatory archives, however, it presents itself as a U.S. company, headquartered at various times in California, Maryland, and Washington, DC, Reuters found.

Pushwoosh provides code and data processing support to software developers, enabling them to profile smartphone app users’ online activity and send customized push notifications from Pushwoosh servers.

On its website, Pushwoosh claims it does not collect sensitive information, and Reuters found no evidence that Pushwoosh mishandled user data. Russian authorities, however, forced local companies to hand over user data to internal security agencies.

Pushwoosh founder Max Konev told Reuters in a September email that the company had not tried to disguise its Russian origins. “I am proud to be Russian and I would never hide it.”

He said the company “has no connection with the Russian government of any kind” and stores his data in the United States and Germany.

However, cybersecurity experts said storing data overseas would not prevent Russian intelligence agencies from forcing a Russian company to cede access to such data.

Russia, whose ties to the West have deteriorated since its takeover of the Crimean Peninsula in 2014 and the invasion of Ukraine this year, is a global leader in hacking and cyber-espionage, spying on governments and industries. foreigners to seek competitive advantage, according to Western officials.

Reuters graphics


The Pushwoosh code has been installed in the apps of a wide range of international corporations, influential nonprofits and government agencies by the global consumer goods company Unilever Plc (ULVR.L) and the Union of European Football Associations (UEFA) at powerful American gun politically lobby, the National Rifle Association (NRA) and the British Labor Party.

Pushwoosh’s deals with U.S. government agencies and private companies could violate U.S. Federal Trade Commission (FTC) contracts and laws or trigger sanctions, 10 legal experts told Reuters. The FBI, the US Treasury and the FTC declined to comment.

Jessica Rich, former director of the FTC’s Bureau of Consumer Protection, said that “these kinds of cases fall under the authority of the FTC,” which crack down on unfair or deceptive practices affecting US consumers.

Washington could choose to impose sanctions on Pushwoosh and has broad authority to do so, sanctions experts said, including through a 2021 executive order that gives the US the ability to target the Russian tech sector for malicious cyber activity.

The Pushwoosh code has been embedded in nearly 8,000 apps in the Google and Apple app stores, according to Appfigures, an app intelligence website. Pushwoosh’s website claims to have more than 2.3 billion devices listed in its database.

“Pushwoosh collects user data, including precise geolocation, on sensitive and government apps, which could enable large-scale invasive monitoring,” said Jerome Dangu, co-founder of Confiant, a company that tracks usage. improper data collected in online advertising supply chains.

“We did not find any clear signs of misleading or malicious intent in Pushwoosh’s business, which certainly does not decrease the risk of app data being leaked to Russia,” he added.

Google said privacy was a “big focus” for the company, but did not respond to requests for comment on Pushwoosh. Apple said it takes user trust and safety seriously, but likewise declined to answer questions.

Keir Giles, a Russia expert at London’s Chatham House think tank, said that despite international sanctions on Russia, a “substantial number” of Russian companies were still trading overseas and collecting personal data of individuals.

Given Russia’s internal security laws, “it should come as no surprise that, with or without direct links to Russian state espionage campaigns, data companies will be eager to play down their Russian roots,” he said.


After Reuters lifted Pushwoosh’s Russian ties to the CDC, the health agency removed the code from its apps because “the company has a potential security problem,” spokeswoman Kristen Nordlund said.

“CDC believed that Pushwoosh was a company based in the Washington, DC area,” Nordlund said in a statement. The belief was based on “representations” made by the company, he said, without elaborating.

The CDC apps that contained the Pushwoosh code included the agency’s main app and others configured to share information on a wide range of health issues. One was for doctors who treated sexually transmitted diseases. Although the CDC also used the company’s notifications for health issues such as COVID, the agency said it “does not share user data with Pushwoosh.”

The military told Reuters it removed an app containing Pushwoosh in March, citing “security concerns”. He did not say how widely the app, which was an information portal for use at his National Training Center (NTC) in California, had been used by the troops.

The NTC is a major Mojave Desert battle training center for soldiers prior to deployment, meaning a data breach could reveal impending troop movements overseas.

US Army spokesman Bryce Dubee said the military did not suffer “operational data loss,” adding that the app did not connect to the army network.

Some large companies and organizations, including UEFA and Unilever, have said that third parties have set up the apps for them or were considering hiring a US company.

“We don’t have a direct relationship with Pushwoosh,” Unilever said in a statement, adding that Pushwoosh was removed from one of its apps “some time ago.”

UEFA said his contract with Pushwoosh was “with a US company”. UEFA declined to say whether it was aware of Pushwoosh’s Russian ties, but said she was reviewing her relationship with the club after being contacted by Reuters.

The NRA said his contract with the company ended last year and he “was not aware of any problems”.

The British Labor Party did not respond to requests for comment.

“The data Pushwoosh collects is similar to data that Facebook, Google or Amazon might collect, but the difference is that all Pushwoosh data in the US is sent to servers controlled by a company (Pushwoosh) in Russia,” he said. Zach Edwards, a security researcher, who first spotted the prevalence of the Pushwoosh code while working for Internet Safety Labs, a non-profit organization.

Roskomnadzor, Russia’s state communications regulator, did not respond to a request for comment from Reuters.


In US regulatory documents and on social media, Pushwoosh never mentions his Russian connections. The company lists “Washington, DC” as its headquarters on Twitter and claims its office address as a home in the suburb of Kensington, Maryland, according to the company’s latest documents submitted to the Delaware secretary of state. It also lists the Maryland address on its Facebook and LinkedIn profiles.

The Kensington house is the home of a Russian friend of Konev’s who spoke to a Reuters reporter on condition of anonymity. He said he had nothing to do with Pushwoosh and had only agreed to allow Konev to use his address to receive mail.

Konev said Pushwoosh had begun using the Maryland address to “receive business correspondence” during the coronavirus pandemic.

He said he now runs Pushwoosh from Thailand but has not provided evidence that he is registered there. Reuters was unable to find a company with that name in the Thai company register.

Pushwoosh never mentioned that it was based in Russia in eight annual documents in the US state of Delaware, where it is registered, an omission that could violate state law.

Instead, Pushwoosh listed an address in Union City, California, as its main business location from 2014 to 2016. Such an address does not exist, according to Union City officials.

Pushwoosh used LinkedIn accounts allegedly belonging to two Washington, DC-based executives named Mary Brown and Noah O’Shea to solicit sales. But neither Brown nor O’Shea are real people, Reuters found.

Brown’s was actually from an Austria-based dance teacher, shot by a photographer in Moscow, who told Reuters she had no idea how she got on the site.

Konev acknowledged that the accounts were not authentic. He said Pushwoosh hired a marketing agency in 2018 to create them in an effort to use social media to sell Pushwoosh, not to disguise the company’s Russian origins.

LinkedIn said it removed the accounts after being warned by Reuters.

Reportage by James Pearson in London and Marisa Taylor in Washington Additional reportage by Chris Bing in Washington, editing by Chris Sanders and Ross Colvin

Our Standards: Thomson Reuters Trust Principles.


Leave a Reply

%d bloggers like this: