US Army and CDC remove code from apps after finding out it was Russian-made

Technology

The tension between Russia and the United States has authorities overly cautious about using any software or digital services from the region. Reuters has identified one Russian firm that appears to be posing as a US developer. So far, two government agencies have pulled or altered apps using the Siberian provider’s code.

The US Army and the Centers for Disease Control and Prevention (CDC) have removed several “public-facing” apps, citing security concerns over Russian-designed code within their programs. The developer in question is Pushwoosh, which provides software and data processing support to other app makers for marketing purposes.

Pushwoosh is headquartered in Novosibirsk, Siberia, with about 40 employees, although its website says it has 150. It has an annual revenue of around 143,270,000 rubles ($2.4 million US), which it pays taxes on in Russia. The company has also registered with US regulators claiming various domestic operations locations, including California, Maryland, and Washington, DC. It lists its location as “Washington, DC” and “Kensington, Maryland” on its social media accounts.

The address Pushwoosh registered in the US is a residential home in Maryland belonging to a “friend” of Pushwoosh founder Max Konev. The anonymous homeowner says he has no business connections with the company other than his address, which allegedly only received domestic correspondence during the pandemic. Currently, Konev operates the company out of Thailand, although Reuters could find no listings for Pushwoosh with Thai regulators.

“Founded in 2011, over the years the company has become one of the leading marketing services with over 150 employees and offices in multiple countries,” says Pushwoosh’s “About” page. “Thousands of startups and global leading brands rely on Pushwoosh in building effective marketing processes.”

The CDC claims that Pushwoosh “deceived” it into thinking it was a US company. After being notified that the developer was Russian-based, the CDC pulled Pushwoosh’s code from seven of its apps listed on Google Play and Apple’s App Store. Likewise, the US Army pulled an entire app commonly used by personnel at an unnamed US military base.

The company claims that it does not collect “sensitive information” and positions its online presence as simply one of thousands of other marketing tools for app developers (below tweet). Indeed, Reuters admits that it couldn’t find evidence that the company mishandled user data but also points out that nothing can stop Russian state intelligence agencies from demanding user data from Pushwoosh just as it has from other software firms in the past.

Despite the allegations, Pushwoosh denies trying to pass itself off as an American company.

“I am proud to be Russian, and I would never hide this,” Konev told Reuters, adding, “[Pushwoosh] has no connection with the Russian government of any kind.”

Konev also noted that user data is stored in the US and Germany. However, the location of user information provides little protection from Russian authorities demanding the company hand it over. Since the onset of the Ukraine conflict, US officials have had intense concerns over Russia attempting to spy on or sabotage domestic companies, agencies, and infrastructure.

The US Army and CDC are not Pushwoosh’s only customers either. The firm claims to have apps on over 2.3 billion devices, with more than 8,000 apps on iOS and Android using Pushwoosh code to push targeted notifications to users. Clients include large corporations, non-profit organizations, and other government entities. Reuters listed a few by name, including international goods provider Unilever, the Union of European Football Associations, the National Rifle Association (NRA), and Britain’s Labour Party.

Legal experts say Pushwoosh’s deceptiveness might violate contracting laws and US Federal Trade Commission (FTC) regulations. A former FTC director of consumer protection said the case is directly within the Commission’s jurisdiction and would fall into the realm of “unfair and deceptive practices affecting US consumers.”

However, the FTC, US Treasury, and Federal Bureau of Investigation have refused to comment or acknowledge if any investigations have resulted from the matter. Likewise, Apple and Google have not commented directly on Pushwoosh but stated that data and user security were their primary focus.