View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 15, 2022

Software used by thousands of businesses secretly supplied by Russian company

Despite claiming to be based in the US, Pushwoosh is registered in Russia and has a headquarters there. This could pose security issues.

By Claudia Glover

Software being used by large organisations including the US Army and UK Labour Party is being supplied by a company based in Russia using Russian servers, it has been revealed. Thousands of smartphone applications on both Google Play and Apple iOS app stores have been found to contain code from Pushwoosh, a customer engagement tool.

Russian app Pushwoosh masquerading as being registered in America was incorporated into an app for US soldiers in 2016. (Photo by cunaplus/Shutterstock)

Pushwoosh claimed to be based in Kensington, Maryland on LinkedIn and Facebook. However, Reuters has reported that it is actually headquartered in the Siberian town of Novosibirsk, where it registered as a data processing software company. Pushwoosh is also registered to pay taxes in Russia. 

What is Pushwoosh?

Pushwoosh enables companies to profile the online activity of their app users to send them tailored push notifications. Reuters found it employs 40 people at its headquarters in Novosibirsk, despite having claimed to be based at various times in California, Washington and Maryland. It reported revenue of $2.4m last year, and on its website says it works with 80,000 clients around the world, with its code running on 2.3bn connected devices.

Pushwoosh claims it does not collect sensitive data on its users, and Reuters investigation found no evidence of the company mishandling data. However, the ongoing tensions between Russia and the West around the war in Ukraine mean the development is a troubling one for organisations using the software, particularly as Russian law allows its government to demand any data stored within its borders be handed over.

Tech Monitor has contacted Pushwoosh for comment, but the company’s founder Max Konev has previously told Reuters that its Russian roots are not a secret. “I am proud to be Russian, I would never hide this,” he said. The company “has no connection with the Russian Government of any kind,” he continued, explaining that he stored his data in the United States and Germany. 

Neither Google nor Apple immediately responded to Tech Monitor’s request for comment.

Which organisations are using Pushwoosh?

The United States’ agency for fighting major health threats, the CDC, has removed the software from seven public-facing apps after security concerns were raised. The US Army also disclosed it was forced to remove an application containing Pushwoosh code in March of this year due to similar worries. The app in question was being given to soldiers at a combat training base.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

US Army Spokesperson Bryce Dubee said that a free version of Pushwoosh was used by the Army with the National Training Centre (NTC), as part of an app that was developed in 2016. “NTC reports they did not have any knowledge that Pushwoosh code was part of the app and were not aware of Pushwoosh itself or that it was a Russia-owned company,” said Dubee. 

Pushwoosh code has been found in apps used by the Labour Party, European football’s governing body UEFA, and The National Rifle Association, Reuters says, as well as multinational corporation Unilever.

Read more: SAP and Cloudflare under fire for Russia presence

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.