Russia-based Pushwoosh tricks US Army and others into running its code – for a while
Russian data trackers … what could possibly go wrong?
Updated US government agencies including the Army and Centers for Disease Control and Prevention pulled apps running Pushwoosh code after learning the software company – which presents itself as American – is actually Russian, according to Reuters.
Pushwoosh is a software company that provides code and data analysis for developers so they can automate custom push notifications based on smartphone users' online activity. This is the same kind of tracking data – aka commercial surveillance – that major US tech companies like Google and Meta have come under fire for collecting by privacy advocates and watchdog agencies alike.
However, in this case, it's a Russian company collecting and processing this data. That means in addition to regular old privacy concerns, there's also national security worries on the line – especially when the US military uses the code.
The US Army removed the app in March, we're told.
"The app in question was developed in 2016 by an individual who is no longer associated with the National Training Center (NTC) using a free version of Pushwoosh," US Army spokesperson Bryce Dubee told The Register, adding there was no contract. "NTC reports they did not have any knowledge that Pushwoosh code was part of the app and were not aware of Pushwoosh itself or that it was a Russian-owned company."
"As regulations and guidance have become more stringent since 2016, PM Army Mobile moved to have the app taken offline completely while conducting a routine review of authorized apps," Dubee continued. "Additionally, regulations do not authorize the use of free software when paid software is available, and consequently, the PM Army Mobile team would have immediately disallowed/disapproved the use of free software."
In addition to the US government agencies, consumer goods giant Unilever, the Union of European Football Associations, American gun lobby group National Rifle Association, and Britain's Labour Party also installed Pushwoosh code in their apps, Reuters reported.
Apps running Pushwoosh code are available on Google Play and Apple's App Store, and the company claims its code runs on more than 2.3 billion connected devices, according to its website.
While it doesn't list a company address anywhere on the website - it notes offices in "multiple countries" but doesn't name any of them – Pushwoosh is headquartered in Novosibirsk, a city in southwestern Siberia, the newswire claimed.
According to its Twitter profile, the company is based in Washington, DC, and on LinkedIn and in press releases it claims to be based in Maryland.
As tensions have escalated between the US and Russia following the illegal Russian invasion of Ukraine earlier this year, Russian software companies have come under increasing scrutiny from the Feds. Even before the war, some had already ended up on the banned list over fears that they are spyware fronts for the Kremlin.
The US Army in March pulled an app used by soldiers that contained Pushwoosh code because of security concerns, we're told.
Additionally, the CDC told Reuters it had been tricked into believing Pushwoosh was a US-based company. After learning it was Russian, the top health agency removed Pushwoosh software from seven apps, also citing security concerns.
- NSA urges orgs to use memory-safe programming languages
- Data tracking poses a 'national security risk' FTC told
- World Cup apps pose a data security and privacy nightmare
- TikTok accused of covert plot to track specific US citizens' every move
In an earlier email exchange, Reuters quotes Pushwoosh's founder, Max Konev, as saying: "I am proud to be Russian and I would never hide this." He added that his company "has no connection with the Russian government of any kind" and stores its data in the US and Germany.
Pushwoosh did not immediately respond to The Register's inquiries.
When asked if Google plans to pull Pushwoosh apps from the Google Store, a spokesperson told The Register: "Privacy and SDK safety are huge areas of focus for Google Play and Android. When we find apps that violate Google Play policies, we take appropriate action."
Push On, with more than 1,000 downloads, is still listed on Google Play.
Apple did not respond to The Register's request for comment. ®
Updated to add
Pushwoosh has issued a statement denying that it is a Russian company or that it mishandled customer data.
"Pushwoosh Inc. is the sole proprietor of all IP rights assigned to Pushwoosh Service and a primary legal entity of the Pushwoosh brand. Pushwoosh Inc. is a privately held C-Corp company incorporated under the state laws of Delaware, USA. Pushwoosh Inc. was never owned by any company registered in the Russian Federation," it said on Tuesday.
"Pushwoosh Inc. used to outsource development parts of the product to the Russian company in Novosibirsk, mentioned in the article. However, in February 2022, Pushwoosh Inc. terminated the contract."
Post-COVID the organization is a global company, it said, and owns datacenters in Nuremberg, Germany and Washington DC. These are fully compliant with Europe's GDPR rules in the handling of customer data, the statement asserts.
"Pushwoosh guarantees that none of the customers' data has ever been transferred outside Germany and the USA to any country, including the Russian Federation," it said. "Furthermore, Pushwoosh has never been contacted by any government regarding customer data."