Russian Software Found in Smartphone App Used by CDC and U.S. Army

Russian Software Found in Smartphone App Used by CDC and U.S. Army
Russian Software Found in Smartphone App Used by CDC and U.S. Army

A data processing services company that claimed to be located in Washington, D.C. is actually a Russian firm based in Novosibirsk, Siberia, according to recent Reuters intel. Pushwoosh also claims to have more than 80,000 clients – including consumer firms such as Coca-Cola and McDonalds, but also the Centers For Disease Control (CDC) and ominously the United States Army. That latter fact has led to some concerns about how its mobile technology is now in thousands of smartphone applications in Apple and Google online stories.

Since learning that the firm is based in Russia, the CDC has removed the Pushwoosh software from seven public-facing apps, citing security concerns, Reuters reported on Monday. The U.S. Army said it had previously removed an app containing Pushwoosh code back in March due to the same concerns. That particular app had reportedly been used by soldiers at one of the country’s main combat training bases.

Russian-Based App Maker

Though it is listed as being located in D.C. on Twitter, and in Maryland on Facebook and LinkedIn, reports on Monday confirmed that the Siberian-based firm failed to mention its true location in eight annual filings made in Delaware.

PC Magazine also reported that Pushwoosh founder, Max Konev, has been using the email address of a friend based in Maryland to handle business correspondence. The company, which employs around 40 people, had annual revenue of roughly $2.4 million. It is also registered to pay taxes to the Russian government, which means it is subject to the same rules of any Russian-based firm. That includes the sharing of user data with the Russian government upon request.

Konev has claimed his company has no connection with Moscow of any kind, and he further tried to suggest that all data is stored either in the United States or Germany.

Legal experts have suggested the company could be violating FTC laws, and that the discovery could trigger sanctions. That could have a huge impact on Pushwoosh, but also on the nearly 8,000 apps its code is now in.

“After being branded as an American company, the revelation of Pushwoosh being a Russian-originated software firm comes as yet another embarrassment to Apple and Google in the privacy domain,” explained Taylor Ellis, customer threat analyst at Horizon3ai.

“Considering that Apple and Google are significant contributors to United States government security investigations, handing over massive amounts of sensitive data, much to the American public’s chagrin, the companies have made a grave error in allowing Pushwoosh to possibly do the same for Russian authorities,” Ellis told ClearanceJobs.

Pushing Data

Pushwoosh is an example of a company that provides many of the backend services for mobile apps. In this case, it provides the code and data processing support for software developers and enables them to profile the online activity of smartphone app users – and to send tailor-made push notifications from its servers.

“While there is currently no evidence of Pushwoosh collecting hyper-sensitive information or mishandling user data for ‘darker’ purposes, it is important to remember that it is still a Russian institution, and their intentions should therefore be treated as a serious concern,” warned Ellis.

Even if the data is stored overseas, Russian intelligence agencies could still compel the Siberian-based firm to cede access to any data it maintains.

It thus isn’t surprising that Konev had attempted to conceal where the company is located.

“Although the West wishes to appear as unbiased and fair when concerning private Russian business, oftentimes, Russia’s private sector demonstrates a similar approach to government operations, in which there is a constant need to deceive, misinform, and shift the narrative,” Ellis continued.

However, after masquerading its origin as an American firm, Pushwoosh also has demonstrated that it cannot be trusted in the forum of international business and technology.

“Overall, incidents such as these concerning private Russian businesses represent a larger problem that the west continues to struggle with – the balance between being ‘pro-innovation’ and safeguarding national security,” suggested Ellis. “Considering the turmoil that the Russian government has caused in the cyber world and on battlegrounds in Ukraine, at this current time, all countries should lean towards the protectionist side of the argument.”

Origins of All Software

This may not be an isolated incident, especially as so many apps are built on top of other software. All it takes is one bad actor in the chain, and the whole system could be compromised.

“Sketchy software is a huge deal if it makes its way into the military supply chain,” warned Jim Purtilo, associate professor of computer science at the University of Maryland.

“It is difficult enough to screen for defects in materials but the complexity of software systems makes screening a computational nightmare. It is tough to assure quality even under the best of circumstances, but if a malicious agent is trying to inject code into the software base then it would be far easier to look for needles under a haystack,” Purtilo told ClearanceJobs.

Bad actors can score wins against the United States without even getting near to what we would consider a critical system.

“Nobody thought fitness trackers were a big deal, for example, not until it was found that bad guys were using geolocation data uploaded by those apps in order to zero in on forward bases in contested territory,” explained Purtilo. “Bingo – that’s where an ‘A team’ is quartered. You could spend immense resources securing comms and validating planning tools only to have it all negated by a free app download. The chain of assurance is no stronger than the weakest link.”

Rooting out Pushwoosh

It would therefore be wise for all western institutions affected by Pushwoosh software to be actively investigating the origin of Pushwoosh code by performing forensic analysis, even if only a remote connection exists.

“Given the amount of experience that the west has had with Russian business and their murky purpose when it comes to technology, these investigations cannot be idle or excused,” added Ellis. “American and European companies should be on the lookout for possible traces of spyware, worms, viruses, and other forms of malware possibly used by Pushwoosh, and for the time being, disable user interaction with apps found to possess Pushwoosh code.”