Software being used by large organisations including the US Army and UK Labour Party is being supplied by a company based in Russia using Russian servers, it has been revealed. Thousands of smartphone applications on both Google Play and Apple iOS app stores have been found to contain code from Pushwoosh, a customer engagement tool.
Pushwoosh claimed to be based in Kensington, Maryland on LinkedIn and Facebook. However, Reuters has reported that it is actually headquartered in the Siberian town of Novosibirsk, where it registered as a data processing software company. Pushwoosh is also registered to pay taxes in Russia.
What is Pushwoosh?
Pushwoosh enables companies to profile the online activity of their app users to send them tailored push notifications. Reuters found it employs 40 people at its headquarters in Novosibirsk, despite having claimed to be based at various times in California, Washington and Maryland. It reported revenue of $2.4m last year, and on its website says it works with 80,000 clients around the world, with its code running on 2.3bn connected devices.
Pushwoosh claims it does not collect sensitive data on its users, and Reuters investigation found no evidence of the company mishandling data. However, the ongoing tensions between Russia and the West around the war in Ukraine mean the development is a troubling one for organisations using the software, particularly as Russian law allows its government to demand any data stored within its borders be handed over.
Tech Monitor has contacted Pushwoosh for comment, but the company’s founder Max Konev has previously told Reuters that its Russian roots are not a secret. “I am proud to be Russian, I would never hide this,” he said. The company “has no connection with the Russian Government of any kind,” he continued, explaining that he stored his data in the United States and Germany.
Neither Google nor Apple immediately responded to Tech Monitor’s request for comment.
Which organisations are using Pushwoosh?
The United States’ agency for fighting major health threats, the CDC, has removed the software from seven public-facing apps after security concerns were raised. The US Army also disclosed it was forced to remove an application containing Pushwoosh code in March of this year due to similar worries. The app in question was being given to soldiers at a combat training base.
US Army Spokesperson Bryce Dubee said that a free version of Pushwoosh was used by the Army with the National Training Centre (NTC), as part of an app that was developed in 2016. “NTC reports they did not have any knowledge that Pushwoosh code was part of the app and were not aware of Pushwoosh itself or that it was a Russia-owned company,” said Dubee.
Pushwoosh code has been found in apps used by the Labour Party, European football’s governing body UEFA, and The National Rifle Association, Reuters says, as well as multinational corporation Unilever.