A company registered for business in Russia developed an app for a key US military base. Reuters believes he could have been forced to collect data for the Russian government, which could put critical US military data in the hands of one of its main geopolitical adversaries. The company has denied sharing data with the Russian government.
On Monday, Reuters reported that a software company known as Pushwoosh presented itself as a US company but is actually a Russian company. Reuters also reported that the company developed an app for the US military and the US Centers for Disease Control and Prevention (CDC) and raised the possibility that Russian authorities could compel the companies operating in Russia to hand over the data of the users of the application.
Reuters reportedly obtained company documents showing that Pushwoosh is based in the Russian city of Novosibirsk and is registered to pay taxes in Russia.
Pushwoosh has developed software for a variety of international clients.
C4ISRNET reported that the company developed an app for the US Army’s National Training Center in Fort Irwin, California. The base serves as a key training ground for units to prepare for overseas deployments.
The software company also developed the code used in the CDC’s main application, as well as other CDC applications aimed at tracking a wide range of health information. Other users of Pushwoosh software have included global consumer products company Unilever Plc, the Union of European Football Associations (UEFA), the National Rifle Association (NRA) and the British Labor Party.
Reuters reported that Pushwoosh lists Washington DC as its location on Twitter and claims an office address in Kensington, Maryland. This Maryland address also appears on the company’s Facebook and LinkedIn profiles.
Reuters reported that the Kensington home belongs to a friend of Pushwoosh founder Max Konev. The friend reportedly told Reuters on condition of anonymity that he said he had nothing to do with the business and only agreed to let Konev use his address for mail.
Pushwoosh also created LinkedIn accounts for two people who pretend to live in the DC era and don’t actually exist. Konev has admitted to Reuters that the accounts were not genuine. Konev said Pushwoosh hired a marketing agency in 2018 to create the fake accounts to help promote Pushwoosh, but not to hide the company’s connections to Russia.
In a statement in response to the Reuters report, Pushwoosh said: “Pushwoosh Inc. is a private C-Corp company incorporated under the state laws of Delaware, USA. Pushwoosh Inc. was never owned by any company registered in the Russian Federation.
The company said it “used to outsource parts of product development to the Russian company in Novosibirsk, mentioned in the [Reuters] article However, in February 2022, Pushwoosh Inc. terminated the contract.”
Pushwoosh also said it operates in multiple countries and has data centers in Nuremberg, Germany and Washington DC.
Pushwoosh said its data policy complies with the European Union’s General Data Protection Regulation (GDPR) and is governed by the European Commission’s Standard Contractual Clauses.
“Pushwoosh guarantees that none of the customer data has ever been transferred outside of Germany and the US to any country, including the Russian Federation,” the company continued. “Furthermore, Pushwoosh has never been contacted by any government regarding customer data.”
Reuters itself acknowledged that it “found no evidence that Pushwoosh mishandled user data.” The publication also published a quote from Jerome Dangu, co-founder of cybersecurity firm Confiant, who said: “We found no clear signs of deceptive or malicious intent in Pushwoosh’s activity.”
While Reuters and Dangu found no evidence of fraudulent data manipulation by Pushwoosh, Reuters said: “Russian authorities have, however, forced local companies to hand over user data to national security agencies.”
Dangu also said the Pushwoosh software “collects user data, including precise geolocation, in sensitive and government applications, which could enable invasive tracking at scale.” Dangu said that while it sees no evidence of intentional deceptive or malicious handling of app data, it “certainly does not diminish the risk of leaking app data in Russia.”
The military told Reuters it officially removed the NTC app that contained Pushwoosh software in March, citing “security concerns.” The military did not specify how widely the app was used.
C4ISRNET reported that at least 1,000 people downloaded the app and that it stopped being used around 2019 due to routine personnel turnover at the base.
US military spokesman Bryce Dubee told Reuters the military did not experience any “operational data loss” with the app. Dubee also said that the app was not connecting to the army’s network.
CDC spokeswoman Kristen Nordlund also told Reuters the agency had removed the Pushwoosh software from its apps.
Security concerns about the Pushwoosh app’s software come as U.S. and Western officials have taken a closer look at other foreign apps, such as TikTok.
English 
Español de Venezuela