An app for a key U.S. Army base was developed by a company that’s registered for business in Russia. Reuters believes it could have been compelled to harvest data for the Russian government, potentially putting critical U.S. military data into the hands of one of its top geopolitical adversaries. The company has denied sharing data with the Russian government.
On Monday, Reuters reported a software firm known as Pushwoosh presented itself as an American company but that it is actually a Russian company. Reuters further reported that the firm developed an app for the U.S. Army and for the U.S. Center for Disease Control and Prevention (CDC) and raised the prospect that the Russian authorities can compel companies operating in Russia to hand over their app user data.
Reuters reportedly obtained company documents showing Pushwoosh is headquartered in the Russian town of Novosibirsk and is registered to pay taxes in Russia.
Pushwoosh has developed software for a variety of international clients.
C4ISRNET reported the firm developed an app for the U.S. Army’s National Training Center on Fort Irwin, California. The base serves as a key training ground for units to prepare for overseas deployments.
The software firm also developed code used on the CDC’s main app, as well as other CDC apps meant to track a wide range of health information. Other Pushwoosh software users have reportedly included the global consumer products company Unilever Plc, the Union of European Football Associations (UEFA) the National Rifle Association (NRA), and Britain’s Labour Party.
Reuters reported Pushwoosh lists Washington D.C. as its location on Twitter and claims an office address in Kensington, Maryland. This Maryland address is also listed on the company’s Facebook and LinkedIn profiles.
Reuters reported the Kensington house belongs to a friend of Pushwoosh founder Max Konev. The friend reportedly told Reuters, on condition of anonymity, said he had nothing to do with the business and only agreed to let Konev use his address to receive mail.
Pushwoosh also reportedly created LinkedIn accounts for two people who purport to live in the D.C.-era who do not actually exist. Konev has admitted to Reuters that the accounts were not genuine. Konev said Pushwoosh hired a marketing agency in 2018 to create the fake accounts to help promote Pushwoosh, but not to hide the company’s connections to Russia.
In a statement in response to Reuters’ reporting, Pushwoosh said, “Pushwoosh Inc. is a privately held C-Corp company incorporated under the state laws of Delaware, USA. Pushwoosh Inc. was never owned by any company registered in the Russian Federation.”
The company said it “used to outsource development parts of the product to the Russian company in Novosibirsk, mentioned in the [Reuters] article. However, in February 2022, Pushwoosh Inc. terminated the contract.”
Pushwoosh also said it operates in a number of countries and has data centers in Nuremberg, Germany and Washington D.C.
Pushwoosh said its data policy is compliant with the European Union’s General Data Protection Regulation (GDPR) and is governed by the Standard Contractual Clauses of the European Commission.
“Pushwoosh guarantees that none of the customers’ data has ever been transferred outside Germany and the USA to any country, including the Russian Federation,” the company continued. “Furthermore, Pushwoosh has never been contacted by any government regarding customer data.”
Reuters itself acknowledged it has “found no evidence Pushwoosh mishandled user data.” The publication also published a quote from Jerome Dangu, who co-founded the Confiant cybersecurity firm, who said “We haven’t found any clear sign of deceptive or malicious intent in Pushwoosh’s activity.”
While Reuters and Dangu found no indications of deceptive data handling by Pushwoosh, Reuters said, “Russian authorities, however, have compelled local companies to hand over user data to domestic security agencies.”
Dangu also said, Pushwoosh software “collects user data including precise geolocation, on sensitive and governmental apps, which could allow for invasive tracking at scale.” Dangu said that while he see’s no signs of intentional deceptive or malicious handling of app data that “certainly doesn’t diminish the risk of having app data leaking to Russia.”
The Army told Reuters it officially removed the NTC app containing Pushwoosh software in March, citing “security issues.” The Army did not specify how widely the app was used.
C4ISRNET reported at least 1,000 people downloaded the app and that it fell out of common use in around 2019 due to routine personnel changeover at the base.
U.S. Army spokesperson Bryce Dubee told Reuters the Army suffered no “operational loss of data” with the app. Dubee also said the app did not connect to the Army network.
CDC spokesperson Kristen Nordlund also told Reuters the agency had removed Pushwoosh software from their apps.
The security concerns about Pushwoosh app software come about as U.S. and western officials have taken a more scrutinizing look at other foreign apps, such as TikTok.