US government agencies such as the Army and the Centers for Disease Control and Prevention have pulled apps that use Pushwoosh code after discovering that the software company, which promotes itself as American, is actually Russian, Reuters reported.
Pushwoosh is a software startup that gives code and data analysis to developers for them to create customized push notifications depending on the internet activity of users. This is the same type of tracking data – dubbed commercial surveillance that privacy groups and watchdog authorities have chastised major US tech companies like Google and Meta for obtaining.
However, a Russian entity is collecting and processing the data in this scenario. Therefore, it implies that, in addition to the basic privacy concerns, there are national security concerns, mainly when the US military utilizes the code.
“The app in question was developed in 2016 by an individual who is no longer associated with the National Training Center (NTC) using a free version of Pushwoosh,” said US Army spokesperson Bryce Dubee, adding there was no contract.
“NTC reports that they did not know that Pushwoosh code was part of the app and was not aware of Pushwoosh itself or that it was a Russian-owned company.”
“As regulations and guidance have become more stringent since 2016, PM Army Mobile moved to have the app taken offline while conducting a routine review of authorized apps,” Dubee continued.
“Additionally, regulations do not authorize the use of free software when paid software is available, and consequently, the PM Army Mobile team would have immediately disallowed/disapproved the use of free software.”
Reuters reported that, in addition to US government entities, consumer products company Unilever, the Union of European Football Associations, American gun lobby group National Rifle Association, and Britain’s Labour Party all used Pushwoosh code in their apps.
Pushwoosh-powered apps are accessible on Google Play and Apple’s App Store, and the company says that its code is used by more than 2.3 billion connected devices, according to its website.
The website does not list the company address. However, it does list several countries where its offices are located. According to several sources, Pushwoosh is headquartered in Novosibirsk, a city in western Siberia.
As tensions between the US and Russia have intensified due to Russia’s illegal invasion of Ukraine, the Federal government has boosted its surveillance of Russian software companies. Before the invasion, some were already on the banned list owing to reports that they were Kremlin spyware fronts.
Sources claim that the US Army banned a Pushwoosh-infected app used by soldiers in March due to security concerns.
Furthermore, the CDC informed Reuters that it had been fooled into believing Pushwoosh was a US-based business. The leading health organization banned the Pushwoosh software from seven apps after realizing it was Russian, citing security issues as well.
Max Konev, the creator of Pushwoosh, is quoted by Reuters as saying: “I am proud to be Russian, and I would never hide this.” He continued by saying that his business “has no connection whatsoever with the Russian government” and that it saves its data in Germany and the US.
“Google Play and Android place a lot of emphasis on online privacy and SDK security. We respond appropriately when we discover apps that are against Google Play policies,” a spokesperson for Google said.
More than 1,000 people have downloaded Push On, which is still available on Google Play.