Russian Code Found in Thousands of American Apps, Including the CDC's

Lucas Ropek
·3 min read
7
Photo: Kevin C. Cox (Getty Images)
Photo: Kevin C. Cox (Getty Images)

A software company whose code is used in thousands of widely downloaded apps has been pretending to be based in the U.S. when, in reality, it operates out of Russia, new reporting from Reuters shows. The company, Pushwoosh, used fake street addresses and even fake employee profiles on LinkedIn to create the illusion that it was headquartered in the U.S., according to the recent investigation, but the firm is actually located in a city in Siberia.

Reuters reports that, in both regulatory filings and on social media, Pushwoosh has consistently advertised itself as being based in the U.S. The firm provides contract support and software to a broad array of organizations, including “international companies, influential non-profits and government agencies,” the outlet reports.

Read more

Pushwoosh’s code is used in at least eight thousand different apps currently available on the Google Play and Apple store. The company’s clients have even included the Center for Disease Control and Prevention (CDC), which, until recently, used its code in at least seven different public-facing apps. The U.S. Army also contracted with the company.

However, the Reuters report seems to reveal that the company has been misrepresenting itself. For one thing, the company made separate filings with both the U.S. and Russian governments that provide conflicting information. In its filing with the state of Delaware, where Pushwoosh is registered, the company listed addresses in Washington D.C., California, and Maryland, and never characterized itself as Russian company. However, when it made similar filings with the Russian government, it stated that it was based in the Siberian city of Novosibirsk, which is located in southern Russia.

Meanwhile, in its marketing materials and on its website the company also listed a number of physical addresses based in the U.S. that Reuters says aren’t actually connected to the company. Reporters traveled to one of the addresses and found that it was the residence of a friend of Konev’s; the friend told the reporters that he had “nothing to do with Pushwoosh and had only agreed to allow Konev to use his address to receive mail.” The other address, which was said to be the firm’s “principal place of business” from 2014 to 2016, was for a residence in a California Bay Area town that local officials say doesn’t actually exist.

At the same time, the company created a raft of social media profiles for U.S.-based executives that are also fictional, Reuters reports.

Both the CDC and the Army ditched the company’s code after learning that Pushwoosh’s Russian origins.

From a cybersecurity perspective, the obvious concern here is that this company isn’t what it seems and that data collected by it could have been misused or shared with the Russian government. To be clear, though, Reuters reports that there isn’t any evidence that Pushwoosh did either of those things. That said, it isn’t without precedent for Russian law enforcement to force Russian companies to furnish user data to the government.

The company’s founder, Max Konev, has disavowed any suspicions of malfeasance, telling Reuters that Pushwoosh “has no connection with the Russian government of any kind” and that he had not tried to hide the company’s origins. “I am proud to be Russian and I would never hide this,” he said. He has also explained away the fake LinkedIn profiles, claiming that they were created by a marketing agency in 2018 to “use social media to sell Pushwoosh, not to mask the company’s Russian origins.” Hmm.

It all sounds pretty weird, but Gizmodo reached out to Pushwoosh for more information and will update this story if the company responds.

More from Gizmodo

Sign up for Gizmodo's Newsletter. For the latest news, Facebook, Twitter and Instagram.

Click here to read the full article.