How Russian Code Infiltrated Android And iOS Apps Used By The CDC And US Army

russian code infiltrates android ios apps cdc us army news
Around 8,000 Android and iOS apps rely on code provided by Pushwoosh to monitor user activity and send custom push notifications. According to a report by Reuters, Pushwoosh has made efforts to present itself as a US-based company while disguising the fact that the company operates out of Russia. Customers who have included Pushwoosh’s code in their apps include the Centers for Disease Control and Prevention (CDC) and the US Army. Both organizations have since removed that code from their apps, citing deception by Pushwoosh and national security concerns.

Mobile app developers often rely on third-party pre-built code to provide specific functionality. This code comes in the form of a software development kit, or SDK for short, and many apps come with multiple SDKs. Pushwoosh is a company that develops and sells such an SDK. The Pushwoosh SDK registers users and tracks their behavior, including precise geolocation data, to collect usage statistics and send custom push notifications tailored to user activity.

Pushwoosh also takes care of storing and processing all the data collected from the apps that include its SDK. Given the potentially sensitive user information that is collected by Pushwoosh, the company’s identity and location are important pieces of information for those considering integrating the Pushwoosh SDK into their apps. However, Pushwoosh appears to have obscured this information with conflicting claims.

Pushwoosh Twitter profile with news from Washington DC
Pushwoosh’s Twitter profile shows Washington, DC as the company’s location

The company’s most recent regulatory filings, submitted to the Delaware Secretary of State, list the address as a home in Kensington, Maryland. In previous filings from 2014 to 2016, Pushwoosh claimed to operate from an address in Union City, California. Meanwhile, Pushwoosh’s Twitter profile shows Washington, DC as the company’s location. Reuters also found that the company solicited sales through two LinkedIn accounts apparently owned by executives at the Washington, DC-based company


As it turns out, Pushwoosh is registered with the Russian government as a software company with headquarters in Novosibirsk, where around forty employees do their work. The Maryland home listed in the company’s regulatory filings is owned by a Russian friend of Pushwoosh founder Max Konev. The home’s owner told Reuters that he had nothing to do with Pushwoosh and simply agreed to allow the company to receive mail at his address. According to Konev, this arrangement to “receive business correspondence” began at his friend’s house during the COVID-19 pandemic.

Konev also told Reuters that the company’s new operational base is in Thailand. However, Reuters received no evidence for this claim and could not find a pushwoosh in the Thai business register. Reuters was able to determine that the two Washington, DC-based executives, Mary Brown and Noah O’Shea, are not real people but fakes created on LinkedIn. The picture displayed on Mary Brown’s profile is actually a picture taken by a photographer in Moscow, Russia of a dance teacher living in Austria. Reuters contacted the teacher, who said she didn’t know how her picture ended up on LinkedIn.

After confirming the LinkedIn profiles were fake, Konev told Reuters that a marketing agency hired by Pushwoosh in 2018 created the accounts in a social media campaign to sell Pushwoosh. Konev explained that the accounts were not created to hide the falsification that Pushwoosh is based in Russia. On the contrary, Konev told Reuters, “I’m proud to be Russian and I would never hide that.” Yet Pushwoosh has not admitted in any of its eight annual filings with the Delaware Secretary of State that it is a Russia-based company acts. By not acknowledging this fact, Pushwoosh may have both violated state law and deceived its customers.

READ :  iOS Bluetooth Bug Allowed Apps to Eavesdrop on User Conversations
Several CDC apps that sent health-related notifications to users included the Pushwoosh SDK, but the organization removed the SDK after learning the company’s true location. According to a CDC spokeswoman, Kristen Nordlund, “CDC believed that Pushwoosh was a Washington, DC area-based company.” However, despite using the Pushwoosh SDK, the CDC claims that it “did not share any user data with Pushwoosh.” .

In March of this year, the US Army stopped using an app with the Pushwoosh SDK, citing “security issues”. The app in question was an information portal used by troops at the Fort Irwin National Training Center. Bryce Dubee, a US Army spokesman, stated that the app did not connect to the Army network and its use resulted in no “operational data loss.”

Other organizations and companies told Reuters that since discovering Pushwoosh is a Russia-based company, they have removed the Pushwoosh SDK from their apps. While the company’s founder has denied any connection between the Russian government and Pushwoosh, the fact that the company’s SDK collects user behavior data and stores it on servers controlled by a Russia-based company is a cause for concern. Like China, the Russian government appears to have no qualms about forcing local companies to hand over user data.