A report says an official US Army app had Russian code and might have harvested data for Russia.
Officials in the US and western countries have grown more concerned about Pushwoosh app software as they have grown more suspicious about other foreign apps, such as TikTok.
The app was developed for a critical Army base in the United States by a firm registered in Russia and operated out of Russia. According to Reuters, the firm may have been forced to gather information for the Russian government, which would have jeopardized critical US military data. The firm has claimed that it did not share data with the Russian government.
Reuters exclusively reported Monday that Pushwoosh, a software company, was misrepresenting itself as an American firm. Reuters furthermore discovered that the company created an app for the US Army and the US Center for Disease Control and Prevention (CDC), raising the concern that Russian authorities might request companies operating in Russia to hand over app user data.
According to company documents obtained by Reuters, Pushwoosh is headquartered in Novosibirsk, Russia, and pays taxes there.
Pushwoosh has developed software for a variety of clients worldwide.
The company developed an app for the US Army’s National Training Center at Fort Irwin, California. Fort Irwin is a crucial training ground for units preparing for overseas deployments, according to C4ISRNET.
The Pushwoosh firm developed code used on the CDC’s main app and other CDC apps tracking health data, for example. It has also been used by Unilever Plc, the Union of European Football Associations (UEFA), the National Rifle Association (NRA), and Britain’s Labour Party, among other Pushwoosh software users.
The location and office address of Pushwoosh is listed as Washington, DC on Twitter. The exact address is listed on the company’s Facebook and LinkedIn profiles.
An anonymous friend of Pushwoosh founder Max Konev is said to own the Kensington house. According to Reuters, the friend told the news service that he had nothing to do with the company and allowed Konev to receive mail at his address.
In addition to having created LinkedIn accounts for two people who purport to live in D.C., Pushwoosh also reportedly created accounts for two people who do not actually live there, according to the investigation. Konev, however, told Reuters that the accounts were not genuine. Konev says Pushwoosh hired a marketing agency in 2018 to create the fake accounts to promote Pushwoosh, but not to hide the company’s Russian connections.
Furthermore, Pushwoosh Inc. claims they were never owned by any corporation registered in the Russian Federation.
“Pushwoosh Inc. used to outsource development parts of the product to the Russian company in Novosibirsk, mentioned in the article. However, in February 2022, Pushwoosh Inc. terminated the contract,” the company announced.
Pushwoosh apparently operates in several countries, including Nuremberg, Germany, and Washington DC, according to its statement.
Potential Data Breach in the Military
According to Pushwoosh, its data policy is in line with the European Union’s General Data Protection Regulation (GDPR) and is governed by the Standard Contractual Clauses of the European Commission.
They also claim that none of its customers’ data has ever been transferred outside Germany and the United States, including the Russian Federation, nor has the company ever been contacted by any government about customer data.
It is true that Reuters has discovered no proof that Pushwoosh mishandled consumer data. In addition, Jerome Dangu, who co-founded the Confiant cybersecurity firm, commented that there is no obvious sign of deceptive or malicious activity in Pushwoosh’s actions.
“We haven’t found any clear sign of deceptive or malicious intent in Pushwoosh’s activity, which certainly doesn’t diminish the risk of having app data leaking to Russia,” he said.
Reuters and Dangu found no signs of Pushwoosh engaging in deceptive data handling, though Russian authorities have forced domestic companies to hand over user data to domestic security agencies.
Pushwoosh collects data from users, including precise geolocation on sensitive and governmental apps, adding that there is a risk of app data leaking to Russia as a result. While he doesn’t see any signs of deceptive or malicious handling of app data, Dangu believes that there is still a risk of having data leak to Russia.
The Army told Reuters that it removed the NTC app with Pushwoosh software in March because of “security issues.” However, the Army did not say how widely the app was used.
Around 2019, C4ISRNET reported that nearly 1,000 personnel had downloaded the app and that it had fallen out of use.
According to Reuters, Army spokesman Bryce Dubee said the Army suffered no “operational loss of data” with the app. Furthermore, Dubee noted that the app did not connect to the Army network.
CDC spokeswoman Kristen Nordlund told Reuters that the agency had removed Pushwoosh software from their apps.
However, with strict sanctions on Russia, “it shouldn’t be a surprise that with or without direct links to Russian state espionage campaigns, firms that handle data will be keen to play down their Russian roots,” said Keir Giles, a Russia expert at London think tank Chatham House
COMMENTS
There are on this article.
You must become a subscriber or login to view or post comments on this article.