Mobile phone in the hand with background of the Russian flag showing Russian software and online activity tracking

Hidden Russian Software in Thousands of Apps Sparks Fears of Online Activity Tracking, Prompts Ban by US Army

A piece of Russian software buried in thousands of apps has raised concerns in some government agencies, and the US Army and CDC have banned several of these apps over concerns about tracking of online activity.

A firm called “Pushwoosh” has code in numerous apps available via the Google and Apple official app stores, and had presented itself as being based in the United States. However, a Reuters investigation discovered that the company appears to be based in Siberia, something that it did not report to US regulars. The company’s online presence also makes no mention of its Russian roots, displaying several different addresses in the US.

Russian software not found to be malicious, but attempts to hide home address raises alarms

The Russian software company provides code that assists app developers in tracking user online activity for the purpose of sending personalized push notifications. About 8,000 Android and iOS apps, available through the official app stores, make use of it. Some of the bigger names include apps put out by the consumer goods giant Unilever and the National Rifle Association. The issue is not limited to the US, as the British Labour Party and the Union of European Football Associations also reportedly make use of the code.

Pushwoosh was apparently able to establish such a foothold in no small part by presenting itself as a US-based company. There is not yet any indication that the code is malicious, but the fact that a Russian software company went to lengths to conceal its origins has caused government agencies to ban some apps out of an abundance of caution.

The company makes assurances on its website that its monitoring of online activity does not include the collection of sensitive information, but the discovery comes amidst a period in which the Russian government has drafted new laws compelling private companies to share personal information they collect with the Federal Security Service (FSB).

The Centers for Disease Control and Prevention (CDC) is one of the agencies that has taken action against the Russian software firm, removing its code from several of its public-facing apps. The US Army has also banned an app that was used at one of the country’s largest combat training bases and might have logged sensitive information about online activity.

Reuters discovered the origins of the Russian software firm via public registration documents filed in that country, indicating that Pushwoosh is based in the Siberian town of Novosibirsk and has some 40 employees at its headquarters there. For its part, Pushwoosh has responded by saying that the Siberia location was merely a contractor that the company once used as a parts supplier but severed its relationship with in February of this year. The company maintains that it is registered in Delaware, based in the US, stores all online activity data in the US and Germany, and that it has no connection to the Russian government.

But the firm has not yet provided the media with evidence of these claims, and it is unclear what its US headquarters are as it has several California, Maryland and Washington DC addresses listed in various places online.

Online activity data potentially available for seizure by Russian government

Legal analysts that spoke to Reuters say that if Russian software was indeed concealed and misrepresented as coming from a US firm, the biggest trouble for the company could come from its filings with US regulators. It could also face a Federal Trade Commission (FTC) investigation into potential unfair or deceptive practices, and sanctions are not off the table if it can be demonstrated that the Russian government has access to US user online activity.

Follow-up investigation by Reuters found that the company’s listed Maryland address was a residence belonging to a friend of the Pushwoosh CEO, who said that he had only agreed to receive mail addressed to the company. The person living at the residence opted to remain anonymous and said that they had nothing to do with the company other than taking in its mail. Another address that the company said it had inhabited from 2014 to 2016 in Union City, CA does not exist.

Reuters was also not able to find the people listed on LinkedIn as executives in charge of sales. One profile appeared to be fake, as the picture used belonged to a woman in New Zealand who said she had nothing to do with the company. The Pushwoosh CEO acknowledged that the LinkedIn accounts were not real and blamed a marketing firm that the company hired in 2018.

Tom Kellermann, CISM and Senior VP of Cyber Strategy at Contrast Security, feels that the threat is substantial and may extend beyond the tracking of online activity: “Organizations must conduct assessments for Pushwoosh code in their applications and irradicate it. Take note – If the Army and CDC have removed the code, all organizations should as well and it is likely that we will see a systemic attack in the coming days. Thousands of applications within Apple and Google leverage Pushwoosh — the danger here is systemic and persistent.  It is a concern for all organizations. This is a prime example of how critical application security is.  In 2022 and moving into 2023, you cannot implicitly trust code. Modern applications necessitate runtime protection from these types of threats.”

 

Senior Correspondent at CPO Magazine