Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Russian notification software found in US Army, CDC apps

A recent investigation found thousands of apps in the App Store that contained code from Russian company Pushwhoosh, which pretends to be based in the United States.

A report found that Pushwoosh code was installed in a wide variety of apps, including those from The Centers for Disease Control and Prevention (CDC), as well as the U.S. Army. According to Appfigures, an app intelligence firm, Pushwoosh code was found in almost 8,000 apps in Apple's App Store and Google's Play Store.

Apple said it takes user trust and safety seriously but declined to answer questions from Reuters.

The Army said it had removed an app containing Pushwoosh code in March. The CDC said it removed the code from seven of its public apps. Both entities cited security concerns.

Pushwoosh provides code and data processing support for software developers to help them send push notifications to users. Its website claims not to collect sensitive information, and an investigation from Reuters found no evidence that Pushwoosh mishandled user data.

It's still a possible security risk for companies that use the code. According to company documents, Pushwoosh is headquartered in Novosibirsk, located in Siberia. But on social media and in U.S. regulatory filings, it presents itself as a U.S. company.

Pushwoosh provides code to developers. Source: Reuters Pushwoosh provides code to developers. Source: Reuters

Its founder, Max Konev, told Reuters that the company never tried to hide its Russian origins and said it has no connection to the Russian government. Konev also said that Pushwoosh stores its data in the United States and Germany.

However, cybersecurity experts said storing data overseas won't stop Russian intelligence agencies from forcing a Russian company to hand over access to the data.

Pushwoosh's business with U.S. government agencies and private companies could violate contracting and U.S. Federal Trade Commission (FTC) laws or trigger sanctions.

"This type of case falls right within the authority of the FTC," said Jessica Rich, former FTC's Bureau of Consumer Protection director.



3 Comments

☕️
DAalseth 6 Years · 3072 comments

Its founder, Max Konev, told Reuters that the company never tried to hide its Russian origins and said it has no connection to the Russian government. Konev also said that Pushwoosh stores its data in the United States and Germany

Let’s parse this out:

First, did you see the very first line of the article, “which pretends to be based in the United States”. I’d say that counts as trying to hide it’s Russian origins. For comparison Readdle that makes ScannerPro is very up front about it being from Ukraine.

Second, no successful Russian company that does business internationally is not connected in some way with the Putin Regime. Maybe not “officially” part of the government, but you can be sure that they have their hand in it, for payments, for intelligence, for data. It’s why I won’t use an antivirus that used the Kaspersky engine. I don’t trust them.

Third, storing the data in the US and Germany is all fine and good, but that says nothing about letting Russian intelligence, both internal and external, thumb through it at will. 

I’ll be checking the list, and if any of my software uses Pushwoosh code, it’s gone from my devices. 

🎁
the_janitor 2 Years · 1 comment

DAalseth said:
Its founder, Max Konev, told Reuters that the company never tried to hide its Russian origins and said it has no connection to the Russian government. Konev also said that Pushwoosh stores its data in the United States and Germany

Let’s parse this out:

First, did you see the very first line of the article, “which pretends to be based in the United States”. I’d say that counts as trying to hide it’s Russian origins. For comparison Readdle that makes ScannerPro is very up front about it being from Ukraine.

Second, no successful Russian company that does business internationally is not connected in some way with the Putin Regime. Maybe not “officially” part of the government, but you can be sure that they have their hand in it, for payments, for intelligence, for data. It’s why I won’t use an antivirus that used the Kaspersky engine. I don’t trust them.

Third, storing the data in the US and Germany is all fine and good, but that says nothing about letting Russian intelligence, both internal and external, thumb through it at will. 

I’ll be checking the list, and if any of my software uses Pushwoosh code, it’s gone from my devices. 

This is a well thought-out and articulate response.  and, most importantly, accurate!

🌟
alterbentzion 6 Years · 41 comments

Here's a link to a list of apps that use pushwhoosh:

<https://internetsafetylabs.org/blog/news-press/reuters-breaks-story-on-dangerous-sdk-pushwoosh-found-by-isl/>