A Russian software company that appears to have gone out of its way to hide its origins has raised alarms in the US Army and several other government agencies, as its code is present in thousands of apps available through the Google and Apple app stores. The code could potentially be used for online activity tracking, and several bans have already been issued.
The company says that it is based in the US, and that it merely used a Russian software supplier as a contractor prior to the Ukraine invasion. But Reuters’ investigations into the company’s origins have turned up other highly questionable details, such as fake LinkedIn profiles and prior listed addresses that do not actually exist.
Russian security laws prompt concerns about online activity data being seized by Putin government
Pushwoosh is an “off the rack” piece of code that numerous apps use to manage push notifications that are tailored to users based on their online activity. Up until recently, it was believed to be furnished by a company based in Washington DC (by way of several other US cities over its history). The discovery that it instead appears to be a Russian software outfit, actively disguising where it originates from, has prompted both the US Army and Centers for Disease Control (CDC) to ban apps that make use of it.
Pushwoosh maintains that it is a US company, and that the issue is a misunderstanding stemming from it making use of a contractor in Siberia until early this year. Regardless of the truth of the situation, the company could face trouble if it knowingly concealed some sort of connection to a Russian firm from US regulators in its filings.
The company’s contractor story becomes harder to believe when other details of the case are examined. Reuters dug into the company’s history and found that a current listed address in Maryland was a residential home, belonging to someone who said they had no connection with Pushwoosh and had been asked by the owner to take mail in for the company. A prior address that Pushwoosh had listed in Union City, CA does not appear to actually exist.
Another problematic element is the company’s LinkedIn presence, which it admits has fake profiles listed as executives in charge of sales. The Pushwoosh CEO claims that this was the act of a rogue marketing contractor hired several years ago.
No signs of attacks or illicit online activity tracking from Russian software, but fishy story sets off alarms
Pushwoosh is reportedly in some 8,000 apps available from the major app stores, including some belonging to major companies and even government agencies from multiple countries.
The concern for government agencies is that the online activity the app collects could be seized by Russia under recently drafted national security laws, even if Pushwoosh has no ill intentions of this sort. The CDC has reportedly stripped its code from several of its own apps, and the US Army banned an internal app that had been making use of it at one of the country’s central military training bases.
Public registration documents filed in Russia appear to indicate that Pushwoosh is in fact headquartered in the city of Novosibirsk, at an office that has about 40 employees. Pushwoosh insists that it stores all online activity data in the US and Germany and that the Russian government has no reach into the company.
Still, with no compelling evidence proving that it is not Russian software in origin, more actions against apps that make use of it are expected.