Russian notification software found in US Army, CDC apps

App Store

A report found that Pushwoosh code was installed in a wide variety of apps, including those from The Centers for Disease Control and Prevention (CDC), as well as the U.S. Army. According to Appfigures, an app intelligence firm, Pushwoosh code was found in almost 8,000 apps in Apple's App Store and Google's Play Store.

Apple said it takes user trust and safety seriously but declined to answer questions from Reuters.

The Army said it had removed an app containing Pushwoosh code in March. The CDC said it removed the code from seven of its public apps. Both entities cited security concerns.

Pushwoosh provides code and data processing support for software developers to help them send push notifications to users. Its website claims not to collect sensitive information, and an investigation from Reuters found no evidence that Pushwoosh mishandled user data.

It's still a possible security risk for companies that use the code. According to company documents, Pushwoosh is headquartered in Novosibirsk, located in Siberia. But on social media and in U.S. regulatory filings, it presents itself as a U.S. company.

Its founder, Max Konev, told Reuters that the company never tried to hide its Russian origins and said it has no connection to the Russian government. Konev also said that Pushwoosh stores its data in the United States and Germany.

However, cybersecurity experts said storing data overseas won't stop Russian intelligence agencies from forcing a Russian company to hand over access to the data.

Pushwoosh's business with U.S. government agencies and private companies could violate contracting and U.S. Federal Trade Commission (FTC) laws or trigger sanctions.

"This type of case falls right within the authority of the FTC," said Jessica Rich, former FTC's Bureau of Consumer Protection director.