Several apps used by U.S. government agencies, including an app used by the Army, were recently found to contain code written in Russia. Pushwoosh, the development firm, tricked the agencies into believing it was based in the U.S. In truth, the company is headquartered in Siberia, Russia.
Russia-Developed Code Utilized to Profile Online Activity of App Users Found In US Army Apps
The questionable code was spotted by the U.S. Army in March. It was found in both the iOS and Android versions of an app used by soldiers at one of the nation’s main combat training bases. The Army removed the app immediately on learning its origins.
The Centers for Disease Control and Prevention also fell for the deception, and removed the software from seven public-facing apps. Pushwoosh code has also been spotted in apps for various international companies, large non-profit organizations, the National Rifle Association and even Great Britain’s Labour Party.
While both the Army and CDC did remove the code citing security concerns, it so far appears no harm was done. U.S. Army spokesperson Bryce Dubee said the app never connected to the Army network and the military branch had not suffered any “operational loss of data.”
It’s a common practice for software developers to include third-party code in their apps. This can help lay the infrastructure for sending push notifications, storing and processing data, or other common tasks. The problem with this practice is that it would take close evaluation of the included code to ensure it’s not maliciously leaking information.
Russian Developer Poses As US-Based
According to research conducted by Reuters, Pushwoosh has masked its links to Russia. In U.S. regulator filings and on social media, the developer provides fake addresses. On Twitter, Pushwoosh lists its location as “Washington, D.C.” In a U.S. corporation filing to the state of Delaware, Pushwoosh claims its office as a house in Kensington, Maryland.
The house in Kensington actually belongs to a friend of Pushwoosh founder Max Konev. Speaking anonymously to Reuters, the Russian friend claims to have no association with Pushwoosh and only agreed to allow Konev to use the address to receive mail.
For his part, Konev insists the company has never tried to mask its Russian origins. He told Reuters in an email, “I am proud to be Russian and I would never hide this.” Nonetheless, the evidence pretty much speaks for itself. Beyond the misleading location on Twitter, Pushwoosh has also maintained several fraudulent LinkedIn profiles.
These fake profiles supposedly belonged to two Washington, D.C.-based executives, Mary Brown and Noah O’Shea. The company used these profiles to solicit sales, but Reuters learned neither were real people. In fact, the profile picture used for Brown was found to actually be of an Austria-based dance instructor. She told Reuters the picture was taken by a photographer in Russia but she had no idea how it ended up on LinkedIn.
Both LinkedIn profiles are now deactivated, after Reuters alerted the social media platform of the deception. Legal experts say there is a strong possibility the U.S. Federal Trade Commission could impose sanctions on Pushwoosh for the deception.