Russian Software Falsely Labeled as ‘American’ Found in Apps Used by U.S. Army, CDC
According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk.
In an exclusive report, Reuters found that thousands of smartphone applications in Apple and Google’s online stores contain a computer code developed by a technology company, Pushwoosh, that is identified as “American” but is Russian.
The Centers for Disease Control and Prevention (CDC), the United States’ main agency for fighting major health threats, said it had been deceived into believing Pushwoosh was based in the U.S. capital. After learning about its Russian roots from Reuters, it removed Pushwoosh software from seven public-facing apps, citing security concerns.
…According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia.
On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company, based at various times in California, Maryland and Washington, D.C., Reuters found.
Pushwoosh provides code and data processing support for software developers, enabling them to profile the online activity of smartphone app users and send tailor-made push notifications from Pushwoosh servers.
Army soldiers used an app containing the computer code at one of the country’s main combat training bases. The Army removed the app in March.
“The app in question was developed in 2016 by an individual who is no longer associated with the National Training Center (NTC) using a free version of Pushwoosh,” US Army spokesperson Bryce Dubee told The Register, adding there was no contract. “NTC reports they did not have any knowledge that Pushwoosh code was part of the app and were not aware of Pushwoosh itself or that it was a Russian-owned company.”
“As regulations and guidance have become more stringent since 2016, PM Army Mobile moved to have the app taken offline completely while conducting a routine review of authorized apps,” Dubee continued. “Additionally, regulations do not authorize the use of free software when paid software is available, and consequently, the PM Army Mobile team would have immediately disallowed/disapproved the use of free software.”
In addition to the US government agencies, consumer goods giant Unilever, the Union of European Football Associations, American gun lobby group National Rifle Association, and Britain’s Labour Party also installed Pushwoosh code in their apps, Reuters reported.
The CDC used the company’s code in at least seven public-facing apps. It recently ditched the software as well.
While the software owner denies the allegations, the paper trail followed by Reuters is suspicious. The investigation also did not provide evidence that collected data was sent to Russia.
The company’s founder, Max Konev, has disavowed suspicions, telling the outlet that Pushwoosh “has no connection with the Russian government of any kind” and that he had not tried to hide the company’s origins. “I am proud to be Russian and I would never hide this,” he said.
In its marketing materials and on its website the company also listed a number of physical addresses based in the U.S. that Reuters says aren’t actually connected to the company. Reporters traveled to one of the addresses and found that it was the residence of a friend of Konev’s; the friend told the reporters that he had “nothing to do with Pushwoosh and had only agreed to allow Konev to use his address to receive mail.” The other address, which was said to be the firm’s “principal place of business” from 2014 to 2016, was for a residence in a California Bay Area town that local officials say doesn’t actually exist.
At the same time, the company created a raft of social media profiles for U.S.-based executives that are also fictional, Reuters reports. Konev claims that the fake profiles were created by a marketing agency in 2018 to “use social media to sell Pushwoosh, not to mask the company’s Russian origins.”
From a cybersecurity perspective, the obvious concern here is that this company isn’t what it seems and that data collected by it could have been misused or shared with the Russian government. To be clear, though, Reuters reports that there isn’t any evidence that Pushwoosh did either of those things. That said, it isn’t without precedent for Russian law enforcement to force Russian companies to furnish user data to the government.
DONATE
Donations tax deductible
to the full extent allowed by law.
Comments
Follow the money on this one: it will lead to a democrat, and ultimately the money will flow into the democrat party coffers.
No doubt at all. Or McConnell and Romney.
As a person who worked for a software startup, you see a lot of shady stuff. Companies never like to admit that you arfe the first person they sold software to.
That being said, why are government employees allowed to put random software on their company phones?
They aren’t, really. But the penalty is rarely enforced unless somebody is trying to have you fired. Just like you aren’t supposed to use government devices for personal use or vice versa in a lot of cases.
DoD is pretty strict for govt owned devices. Where things get shady is some guy deciding he wants X application and Army doesn’t have it. He gets gung ho and uses off the shelf free software and tinkers one.
More likely some SR Officer dreamed up an ‘I want it’, was told it didn’t exist then he told a subordinate to figure out how to get him the toy. Subordinate complies and the SR Officer signs off an exception to policy memo authorizing the installation on govt devices. Which, strictly speaking, he can’t do without the 3 Star Chief of Signal agreement.
As you can imagine I was not very popular with SR Officers because I would tell them no. A few respected that but most get caught up in folks being yes men they really come unglued when someone actually says no.
Sounds to me from the article that the software doesn’t consist of a standalone app, but a set of utility subroutines for “push notifications” that other apps chose to incorporate.
That’s not what this is about. It’s about (likely) approved software that uses the mentioned code as part of its internal workings.
One of the problems with current “programming” is that so very little of it is. Instead it’s building with a bunch of black boxes that someone else programmed, and you assembled into a “product”.
2016, hmm. Makes sense, we had a traitor in the white house then as well.
Sorry my brain stopped working at “Russian software”
Yeah, that’s kind of like German Art, Italian Technology,..
Paul Klee, Lamborghini, …
The question here is not where the software originated, or with whom, but whether or not it’s malicious. If DOD was really protecting security, they should be examining whatever they intend to use to determine exactly what it does. And, excluding the use of free software is just stupid — if it’s clean, and performs a useful function, why buy something else?
Two problems with free software:
First, it tends to be unsupported in short order. It works fine for what it’s supposed to do, but then the developer shuts down his download site and goes on to something else.
Second, free software is an easy way to introduce vulnerabilities. The developers are often not careful about what they include and with the constantly required updates nowadays the software can be fine… then it isn’t anymore.
With someone in it for profit, there’s a greater tendency to care about functionality AND security. It’s a risk mitigation strategy.
Even the lure of “open software” is deceptive. “It can be verified by anybody.” But the problem is, WILL anybody bother?
Big example was the Heartbleed vulnerability. A single programmer made an innocent error, a single auditor missed it, absolutely nobody else verified it despite the code being “open,” and online databases were open to rape and pillage by hackers for months.
“Pushwoosh” doesn’t sound even vaguely like it originated in America, but who knows?
Can’t we find any American programmers for these jobs?
Actually it does, when you understand it provides a “speedy mechanism for push notifications.”
Russian, Chinese, … does America produce anything anymore, or have we been reduced to a service economy?
American industry has outsourced beaucoup manufacturing and customer service overseas because us government regulations make it cheaper to do that than to hire an average worker to do an average job. Our wages cannot be globally competitive because our domestic tax and regulatory burden is uncompetitive. I am actually beside myself with joy when I luck into a brand whose customer service line is staffed with actual English-speaking agents.