Russian software disguised as American found on US Army, CDC apps

A Russian flag is seen on the laptop screen in front of a computer screen on which cyber code is displayed, in this illustration picture taken March 2, 2018.

Pushwoosh, which presents itself as a US-based company, was found to be registered with the Russian government to pay taxes in Russia.

Thousands of smartphone applications in Apple and Google's online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States but is actually Russian, Reuters has found.

The Centers for Disease Control and Prevention (CDC), the United States' main agency for fighting major health threats, said it had been deceived into believing Pushwoosh was based in the US capital. After learning about its Russian roots from Reuters, it removed Pushwoosh software from seven public-facing apps, citing security concerns.

The US Army said it had removed an app containing Pushwoosh code in March because of the same concerns. That app was used by soldiers at one of the country's main combat training bases.

So where is Pushwoosh based?

According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia.

Computer keyboard [illustrative]. (credit: ING IMAGE/ASAP)

On social media and in US regulatory filings, however, it presents itself as a US company, based at various times in California, Maryland and Washington, DC, Reuters found.

Pushwoosh provides code and data processing support for software developers, enabling them to profile the online activity of smartphone app users and send tailor-made push notifications from Pushwoosh servers.

On its website, Pushwoosh says it does not collect sensitive information, and Reuters found no evidence Pushwoosh mishandled user data. Russian authorities, however, have compelled local companies to hand over user data to domestic security agencies.

Pushwoosh founder says he didn't try to hide Russian origins

Pushwoosh's founder, Max Konev, told Reuters in a September email that the company had not tried to mask its Russian origins. "I am proud to be Russian and I would never hide this."

Pushwoosh published a blog post after the Reuters article was issued, which said: "Pushwoosh Inc. is a privately held C-Corp company incorporated under the state laws of Delaware, USA. Pushwoosh Inc. was never owned by any company registered in the Russian Federation."

The company also said in the post, "Pushwoosh Inc. used to outsource development parts of the product to the Russian company in Novosibirsk, mentioned in the article. However, in February 2022, Pushwoosh Inc. terminated the contract."

After Pushwoosh published its post, Reuters asked Pushwoosh to provide evidence for its assertions, but the news agency’s requests went unanswered.

Konev said the company "has no connection with the Russian government of any kind" and stores its data in the United States and Germany.

Cybersecurity experts said storing data overseas would not prevent Russian intelligence agencies from compelling a Russian firm to cede access to that data, however.

Russia, whose ties with the West have deteriorated since its takeover of the Crimean Peninsula in 2014 and its invasion of Ukraine this year, is a global leader in hacking and cyber-espionage, spying on foreign governments and industries to seek competitive advantage, according to Western officials.

 Fake addresses, fake profiles

In US regulatory filings and on social media, Pushwoosh never mentions its Russian links. The company lists "Washington, DC" as its location on Twitter and claims its office address as a house in the suburb of Kensington, Maryland, according to its latest US corporation filings submitted to Delaware's secretary of state. It also lists the Maryland address on its Facebook and LinkedIn profiles.

The Kensington house is the home of a Russian friend of Konev's who spoke to a Reuters journalist on condition of anonymity. He said he had nothing to do with Pushwoosh and had only agreed to allow Konev to use his address to receive mail.

Konev said Pushwoosh had begun using the Maryland address to "receive business correspondence" during the coronavirus pandemic.

He said he now operates Pushwoosh from Thailand but provided no evidence that it is registered there. Reuters could not find a company by that name in the Thai company registry.

Pushwoosh never mentioned it was Russian-based in eight annual filings in the US state of Delaware, where it is registered, an omission that could violate state law.

Instead, Pushwoosh listed an address in Union City, California as its principal place of business from 2014 to 2016. That address does not exist, according to Union City officials.

Pushwoosh used LinkedIn accounts purportedly belonging to two Washington, DC-based executives named Mary Brown and Noah O'Shea to solicit sales. But neither Brown nor O'Shea are real people, Reuters found.

The one belonging to Brown was actually of an Austria-based dance teacher, taken by a photographer in Moscow, who told Reuters she had no idea how it ended up on the site.

Konev acknowledged the accounts were not genuine. He said Pushwoosh hired a marketing agency in 2018 to create them in an attempt to use social media to sell Pushwoosh, not to mask the company's Russian origins.

LinkedIn said it had removed the accounts after being alerted by Reuters.

Sign up for The Jerusalem Post Premium Plus for just $5

Upgrade your reading experience with an ad-free environment and exclusive content

Join Now >

Load more...