New reporting from Reuters has revealed that a software company whose code is used by thousands of popular apps pretends to be based in America. Pushwoosh created the impression that it was located in the U.S. by using fake addresses and LinkedIn profiles of employees to make it appear like it was.
However, the investigation revealed that the company is actually in Siberia. Reuters reports that Pushwoosh consistently claimed to be based in the United States in regulatory filings and on social media. According to the outlet, the firm offers contract support and software for various organizations, including international companies, influential non-profits, and government agencies.
Pushwoosh’s software is found in over eight thousand Apple and Google Play apps. The Center for Disease Control and Prevention (CDC) was one of the clients. It has used its code until recently in at least seven public-facing apps. The U.S. Army also had a contract with the company.
The Reuters report suggests that the company is misrepresenting itself. One thing is that the company filed separate documents with the U.S. government and the Russian government, which provide contradicting information. Pushwoosh’s Delaware state registration showed that the company had listed addresses in Washington, D.C. and Maryland. However, it never claimed to be a Russian company. It stated, however, that it was located in the Siberian city Novosibirsk in southern Russia when it filed similar documents with the Russian government.
The company listed a few physical addresses in the U.S. in its marketing materials and on its website. However, Reuters claims that they are not connected to the company. It is said that the company also created many fake social media profiles for U.S-based executives.
Max Konev, the company’s founder, denied any suspicions of misconduct. He told Reuters that Pushwoosh had “no connection with any Russian government of any type” and that he hadn’t tried to conceal the company’s origins. He said, “I am proud to call myself Russian, and I wouldn’t hide this.” The fake LinkedIn profiles were also discredited by him, claiming they were created in 2018 by a marketing agency to “use social media for Pushwoosh, and not to hide the Russian origins of the company.”
After learning of Pushwoosh’s Russian origins, the CDC and the Army decided to abandon the code. Cybersecurity concerns are evident here. This company may not be what it appears, and the data it collected could have been misused or shared with Russia. Reuters says there is no evidence that Pushwoosh has done any of these things. Russian law enforcement has had a precedent in forcing Russian companies to provide user data to the government.