Breaking News
Investing Pro 0
🚨 Our Pro Data Reveals the True Winner of Earnings Season Access Data

Exclusive-Russian software disguised as American finds its way into U.S. Army, CDC apps

Global Nov 17, 2022 04:46
Saved. See Saved Items.
This article has already been saved in your Saved Items
 
4/4 © Reuters. The entrance of the National Training Centre, a U.S. military training area located in the Mojave Desert in Fort Irwin, California, U.S., October 14, 2022. REUTERS/Aude Guerrucci 2/4
 
GOOGL
-2.75%
Add to/Remove from a Portfolio
Add to Watchlist
Add Position

Position added successfully to:

Please name your holdings portfolio
 
AAPL
+2.44%
Add to/Remove from a Portfolio
Add to Watchlist
Add Position

Position added successfully to:

Please name your holdings portfolio
 
UL
+0.50%
Add to/Remove from a Portfolio
Add to Watchlist
Add Position

Position added successfully to:

Please name your holdings portfolio
 
GOOG
-3.29%
Add to/Remove from a Portfolio
Add to Watchlist
Add Position

Position added successfully to:

Please name your holdings portfolio
 
ULVR
+1.10%
Add to/Remove from a Portfolio
Add to Watchlist
Add Position

Position added successfully to:

Please name your holdings portfolio
 

By James Pearson and Marisa Taylor

LONDON/WASHINGTON (Reuters) -Thousands of smartphone applications in Apple (NASDAQ:AAPL) and Google (NASDAQ:GOOGL)'s online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters has found.

The Centers for Disease Control and Prevention (CDC), the United States' main agency for fighting major health threats, said it had been deceived into believing Pushwoosh was based in the U.S. capital. After learning about its Russian roots from Reuters, it removed Pushwoosh software from seven public-facing apps, citing security concerns.

    The U.S. Army said it had removed an app containing Pushwoosh code in March because of the same concerns. That app was used by soldiers at one of the country's main combat training bases.

    According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia.

    On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company, based at various times in California, Maryland and Washington, D.C., Reuters found.

    Pushwoosh provides code and data processing support for software developers, enabling them to profile the online activity of smartphone app users and send tailor-made push notifications from Pushwoosh servers.

On its website, Pushwoosh says it does not collect sensitive information, and Reuters found no evidence Pushwoosh mishandled user data. Russian authorities, however, have compelled local companies to hand over user data to domestic security agencies.

Pushwoosh's founder, Max Konev, told Reuters in a September email that the company had not tried to mask its Russian origins. "I am proud to be Russian and I would never hide this."

Pushwoosh published a blog post after the Reuters article was issued, which said: "Pushwoosh Inc. is a privately held C-Corp company incorporated under the state laws of Delaware, USA. Pushwoosh Inc. was never owned by any company registered in the Russian Federation."

The company also said in the post, "Pushwoosh Inc. used to outsource development parts of the product to the Russian company in Novosibirsk, mentioned in the article. However, in February 2022, Pushwoosh Inc. terminated the contract."

After Pushwoosh published its post, Reuters asked Pushwoosh to provide evidence for its assertions, but the news agency’s requests went unanswered.

Konev said the company "has no connection with the Russian government of any kind" and stores its data in the United States and Germany.

    Cybersecurity experts said storing data overseas would not prevent Russian intelligence agencies from compelling a Russian firm to cede access to that data, however.

    Russia, whose ties with the West have deteriorated since its takeover of the Crimean Peninsula in 2014 and its invasion of Ukraine this year, is a global leader in hacking and cyber-espionage, spying on foreign governments and industries to seek competitive advantage, according to Western officials.

HUGE DATABASE

Pushwoosh code was installed in the apps of a wide array of international companies, influential non-profits and government agencies from global consumer goods company Unilever (LON:ULVR) Plc and the Union of European Football Associations (UEFA) to the politically powerful U.S. gun lobby, the National Rifle Association (NRA), and Britain's Labour Party.

Pushwoosh's business with U.S. government agencies and private companies could violate contracting and U.S. Federal Trade Commission (FTC) laws or trigger sanctions, 10 legal experts told Reuters. The FBI, U.S. Treasury and the FTC declined to comment.

Jessica Rich, former director of the FTC's Bureau of Consumer Protection, said "this type of case falls right within the authority of the FTC," which cracks down on unfair or deceptive practices affecting U.S. consumers.

Washington could choose to impose sanctions on Pushwoosh and has broad authority to do so, sanctions experts said, including possibly through a 2021 executive order that gives the United States the ability to target Russia's technology sector over malicious cyber activity.

Pushwoosh code has been embedded into almost 8,000 apps in the Google and Apple app stores, according to Appfigures, an app intelligence website. Pushwoosh's website says it has more than 2.3 billion devices listed in its database.

    "Pushwoosh collects user data including precise geolocation, on sensitive and governmental apps, which could allow for invasive tracking at scale," said Jerome Dangu, co-founder of Confiant, a firm that tracks misuse of data collected in online advertising supply chains.

    "We haven't found any clear sign of deceptive or malicious intent in Pushwoosh's activity, which certainly doesn't diminish the risk of having app data leaking to Russia," he added.

    Google said privacy was a "huge focus" for the company but did not respond to requests for comment about Pushwoosh. Apple said it takes user trust and safety seriously but similarly declined to answer questions.

    Keir Giles, a Russia expert at London think tank Chatham House, said despite international sanctions on Russia, a "substantial number" of Russian companies were still trading abroad and collecting people's personal data.

    Given Russia's domestic security laws, "it shouldn't be a surprise that with or without direct links to Russian state espionage campaigns, firms that handle data will be keen to play down their Russian roots," he said.

    'SECURITY ISSUES'

    After Reuters raised Pushwoosh's Russian links with the CDC, the health agency removed the code from its apps because "the company presents a potential security concern," spokesperson Kristen Nordlund said.

    "CDC believed Pushwoosh was a company based in the Washington, D.C. area," Nordlund said in a statement. The belief was based on "representations" made by the company, she said, without elaborating.

The CDC apps that contained Pushwoosh code included the agency's main app and others set up to share information on a wide range of health concerns. One was for doctors treating sexually transmitted diseases. While the CDC also used the company's notifications for health matters such as COVID, the agency said it "did not share user data with Pushwoosh."

    The Army told Reuters it removed an app containing Pushwoosh in March, citing "security issues." It did not say how widely the app, which was an information portal for use at its National Training Center (NTC) in California, had been used by troops.

    The NTC is a major battle training center in the Mojave Desert for pre-deployment soldiers, meaning a data breach there could reveal upcoming overseas troop movements.

    U.S. Army spokesperson Bryce Dubee said the Army had suffered no "operational loss of data," adding that the app did not connect to the Army network.

    Some large companies and organizations including UEFA and Unilever said third parties set up the apps for them, or they thought they were hiring a U.S. company.

    "We don't have a direct relationship with Pushwoosh," Unilever said in a statement, adding that Pushwoosh was removed from one of its apps "some time ago."

    UEFA said its contract with Pushwoosh was "with a U.S. company." UEFA declined to say if it knew of Pushwoosh's Russian ties but said it was reviewing its relationship with the company after being contacted by Reuters.

    The NRA said its contract with the company ended last year, and it was "not aware of any issues."

    Britain's Labour Party did not respond to requests for comment.

    "The data Pushwoosh collects is similar to data that could be collected by Facebook (NASDAQ:META), Google or Amazon (NASDAQ:AMZN), but the difference is that all the Pushwoosh data in the U.S. is sent to servers controlled by a company (Pushwoosh) in Russia," said Zach Edwards, a security researcher, who first spotted the prevalence of Pushwoosh code while working for Internet Safety Labs, a nonprofit organization.

Roskomnadzor, Russia's state communications regulator, did not respond to a request from Reuters for comment.

    FAKE ADDRESS, FAKE PROFILES

    In U.S. regulatory filings and on social media, Pushwoosh never mentions its Russian links. The company lists "Washington, D.C." as its location on Twitter and claims its office address as a house in the suburb of Kensington, Maryland, according to its latest U.S. corporation filings submitted to Delaware's secretary of state. It also lists the Maryland address on its Facebook and LinkedIn profiles.

    The Kensington house is the home of a Russian friend of Konev's who spoke to a Reuters journalist on condition of anonymity. He said he had nothing to do with Pushwoosh and had only agreed to allow Konev to use his address to receive mail.

    Konev said Pushwoosh had begun using the Maryland address to "receive business correspondence" during the coronavirus pandemic.

He said he now operates Pushwoosh from Thailand but provided no evidence that it is registered there. Reuters could not find a company by that name in the Thai company registry.

    Pushwoosh never mentioned it was Russian-based in eight annual filings in the U.S. state of Delaware, where it is registered, an omission which could violate state law.

Instead, Pushwoosh listed an address in Union City, California as its principal place of business from 2014 to 2016. That address does not exist, according to Union City officials.

    Pushwoosh used LinkedIn accounts purportedly belonging to two Washington, D.C.-based executives named Mary Brown and Noah O'Shea to solicit sales. But neither Brown nor O'Shea are real people, Reuters found.

    The one belonging to Brown was actually of an Austria-based dance teacher, taken by a photographer in Moscow, who told Reuters she had no idea how it ended up on the site.

    Konev acknowledged the accounts were not genuine. He said Pushwoosh hired a marketing agency in 2018 to create them in an attempt to use social media to sell Pushwoosh, not to mask the company's Russian origins.

    LinkedIn said it had removed the accounts after being alerted by Reuters.

Exclusive-Russian software disguised as American finds its way into U.S. Army, CDC apps
 

Related Articles

Add a Comment

Comment Guidelines

We encourage you to use comments to engage with users, share your perspective and ask questions of authors and each other. However, in order to maintain the high level of discourse we’ve all come to value and expect, please keep the following criteria in mind: 

  • Enrich the conversation
  • Stay focused and on track. Only post material that’s relevant to the topic being discussed.
  • Be respectful. Even negative opinions can be framed positively and diplomatically.
  •  Use standard writing style. Include punctuation and upper and lower cases.
  • NOTE: Spam and/or promotional messages and links within a comment will be removed
  • Avoid profanity, slander or personal attacks directed at an author or another user.
  • Don’t Monopolize the Conversation. We appreciate passion and conviction, but we also believe strongly in giving everyone a chance to air their thoughts. Therefore, in addition to civil interaction, we expect commenters to offer their opinions succinctly and thoughtfully, but not so repeatedly that others are annoyed or offended. If we receive complaints about individuals who take over a thread or forum, we reserve the right to ban them from the site, without recourse.
  • Only English comments will be allowed.

Perpetrators of spam or abuse will be deleted from the site and prohibited from future registration at Investing.com’s discretion.

Write your thoughts here
 
Are you sure you want to delete this chart?
 
Post
Post also to:
 
Replace the attached chart with a new chart ?
1000
Your ability to comment is currently suspended due to negative user reports. Your status will be reviewed by our moderators.
Please wait a minute before you try to comment again.
Thanks for your comment. Please note that all comments are pending until approved by our moderators. It may therefore take some time before it appears on our website.
 
Are you sure you want to delete this chart?
 
Post
 
Replace the attached chart with a new chart ?
1000
Your ability to comment is currently suspended due to negative user reports. Your status will be reviewed by our moderators.
Please wait a minute before you try to comment again.
Add Chart to Comment
Confirm Block

Are you sure you want to block %USER_NAME%?

By doing so, you and %USER_NAME% will not be able to see any of each other's Investing.com's posts.

%USER_NAME% was successfully added to your Block List

Since you’ve just unblocked this person, you must wait 48 hours before renewing the block.

Report this comment

I feel that this comment is:

Comment flagged

Thank You!

Your report has been sent to our moderators for review
Continue with Google
or
Sign up with Email