Several mobile apps in the Apple Store and Google Play Store carried programming code developed by Russian technology company PushWash, which represented itself as a USA company but was actually Russian, according to a report by Reuters.
A major US health threat, the Centers for Disease Control and Prevention (CDC) mistakenly believed that PushWash was based in the US capital, but after learning of its roots and connections from Reuters, the agency said it had removed the PushWash software from Seven. Public-facing apps that expose security risks.
In March, the U.S. military removed an app that included code from the Pushwash company for the same reason. That particular application was used by the military, the country’s primary combat training arm.
According to a Russian filing reviewed by Reuters, PushWash is a registered data processing software company headquartered in the Siberian city of Novosibirsk. It employs about 40 people and reported revenue of 143,270,000 rubles ($2.4 million) last year. Pushwash is registered with the Russian government to pay taxes in Russia.
Reuters presents itself as an American company on social media and in US regulatory filings, and has at various times been based in California, Maryland and Washington, DC.
The entrance to the National Training Center in the Mojave Desert at Fort Irwin, California, US, a US military training site—Reuters
Pushwoosh provides code and data processing support for software developers. The smartphone app allows users to profile online activity and send push notifications from PushWash servers.
He said the website does not collect any sensitive information or data. Reuters found no evidence that PushWash misused user data. However, Russian authorities have forced domestic companies to hand over user data to security agencies in their country.
In September, PushWash founder Max Konev told Reuters in an email that the company did not try to hide its Russian origins. “I am proud to be Russian and I never hide it.”
In addition, the company “has no connection with the Russian government” and stores its data in the United States and Germany.
Cybersecurity experts say that storing data overseas does not prevent Russian intelligence agencies from forcing a Russian company to hand over that information.
Pushwash code has been installed in a wide range of bargaining applications, from Unilever PLC and UEFA to the politically powerful US gun lobby, National, global consumer goods companies, non-profit organizations and government agencies. The National Rifle Association (NRA) and the British Labor Party.
After Reuters reported Pushwash’s Russian links to the CDC, the health agency “removed the company’s code from the app due to security concerns,” spokeswoman Kristen Nordlund said.
“The CDC believes that PushWash is a company based in the Washington, DC area,” Nordlund said in a statement. The belief was based on “representations” made by the company, she said without explanation.
Fake address, fake profile
Pushwash never mentioned Russian links in US regulatory filings and social media. The company lists itself as “Washington, DC” on Twitter and confirmed its office address as a home in Kensington, Maryland. He also lists a Maryland address on his Facebook and LinkedIn profiles.