Reuters reports that thousands of apps in both Google’s and Apple’s app stores contain computer code developed by a Russian company, Pushwoosh, based in Novosibirsk in Siberia. The company has tried disguising it’s Russian roots and appeared to be American at first glance, having provided US addresses for their offices, and created fake employee profiles with American-sounding names on LinkedIn.
The code has been placed in about 8,000 apps in total, and the code is said to have existed in apps as varied as ones from soap manufacturer Unilever, to UEFA, the NRA and even the British Labour Party. A total of 2.3 billion mobile devices exist in Pushwoosh’s database.
The code has even been used in apps by the US Centers for Disease Control and Prevention (CDC) and the US Army. The CDC told Reuters it removed Pushwoosh software from as many as seven public-facing apps, after being informed by the Reuters journalists of the software’s Russian origins.
The US Army told Reuters it had removed an app containing Pushwoosh code in March because of the same security concerns.
According to Reuters, Pushwoosh provides code and data processing support used by software developers for user profiling, as well as the ability to send tailor made push notifications. The Russian software can be bought by a developer who needs to integrate such services in their own apps, but who doesn’t want to spend time developing their own solution.
The data collected is similar to that collected by Google and Facebook, including geolocation. The main difference is that the data collected is being processed on servers in Russia controlled by Pushwoosh, subject to Russian legislation.
Reuters found no examples of the data being forwarded to the Russian authorities. At the same time, they point out that there have been examples where Russian companies have been forced to provide user data to Russian security authorities.
Pushwoosh has given addresses in California, Maryland and Washington DC both to the US authorities and on social media. In addition to the addresses being used when registering activities in the USA, they were also used on the company’s company profiles on social media such as LinkedIn and Twitter. Fictitious employee profiles with American names had also been created on LinkedIn.
Pushwoosh’s founder, Max Konev, told Reuters in a September email that the company never tried to mask its Russian roots. “I am proud to be Russian and I would never hide this.” He went on to say the company “has no connection with the Russian government of any kind” and stores its data in the United States and Germany.