U.S. Govt. Apps Bundled Russian Code With Ties to Mobile Malware Developer – Krebs on Security

Recent shift from Reuters revealed that mobile apps for the US Army and the Centers for Disease Control and Prevention (CDC) was integrating software that sends visitor data to a Russian company called Pushwoosh, which claims to be based in the United States. But that story left out an important historical detail about Pushwoosh: In 2013, one of its developers admitted to writing the Pincer trojanmalware designed to secretly intercept and forward text messages from Android portable devices.

Pushwoosh says it’s a US company that provides code for developers to profile smartphone app users based on their online activity, allowing them to send tailored notifications. But a recent investigation by Reuters has raised questions about the company’s actual location and veracity.

The Army told Reuters it removed an app containing Pushwoosh in March, citing “security concerns.” The Army program was used by soldiers at one of the nation’s main combat training bases.

Reuters said the CDC also recently removed Pushwoosh code from its program due to security concerns, after reporters reported that the Pushwoosh agency was not based in the Washington area — as the company represented — but was instead operated out of Novosibirsk, Russia.

Pushwoosh’s software has also been found in programs for “a wide range of international companies, influential non-profits and government agencies from a global consumer goods company. Unilever and the Union of European Football Associations (UEFA) to the politically powerful American gun lobby, the National Rifle Association (NRA), and that of Great Britain Labor Party.”

The founder of the company Max Konev told Reuters Pushwoosh “has no connection with the Russian government of any kind” and that it stores its data in the United States and Germany.

But Reuters found that while Pushwoosh’s social media accounts and US regulatory filings list it as a US company based variously in California, Maryland and Washington, the company’s employees are located in Novosibirsk, Russia.

Reuters also learned that the company’s address in California did not exist, and that two LinkedIn accounts for Pushwoosh employees in Washington were fake.

“Pushwoosh has never mentioned that it is based in Russia in eight annual filings in the US state of Delaware, where it is registered, an omission that could violate state law,” Reuters reported.

Also Read :  New broadband map to help allocate federal funding

Pushwoosh admitted the LinkedIn profiles were fake, but said they were created by a marketing firm to drum up business for the company — not misrepresent its location.

Pushwoosh told Reuters it used addresses in the Washington, D.C. area to “receive business correspondence” during the coronavirus pandemic. A review of the Pushwoosh founder’s online presence by Constella Intelligence shows that his Pushwoosh email address was linked to a phone number in Washington, D.C., which was also linked to email addresses and account profiles for more than a dozen other Pushwoosh employees.

Pushwoosh was incorporated in Novosibirsk, Russia in 2016.


The dust-up over Pushwoosh came in part from data collected by Zach Edwardsa security researcher who until recently worked for the Internet Security Laboratory, a non-profit organization that funds research into online threats.

Edwards said Pushwoosh started as Arello Mobile, and for several years the two co-branded – appearing side by side at various technology exhibitions. Around 2016, he said, the two companies both started using the name Pushwoosh.

A search of Pushwoosh’s codebase shows that one of the company’s longtime developers is a 41-year-old from Novosibirsk named Yuri Shmakov. In 2013, KrebsOnSecurity interviewed Shmakov for the story, “Who Wrote the Pincer Android Trojan?” in which Shmakov acknowledged writing the malware as an independent project.

Shmakov told me that, based on the customer’s specifications, he suspected that it might eventually be put to bad uses. Even so, he completed the job and signed his work by including his nickname in the program’s code.

“I’ve been working on this app for a few months, and I was hoping it would be really helpful,” Shmakov wrote. “[The] idea of ​​this program is that you can set it as a spam filter…block some calls and SMS remotely, from a Web service. I was hoping that would be it [some kind of] blacklist, with login about blocked [messages/calls]. But of course, I understood that customer [did] don’t really want this.”

Shmakov did not respond to requests for comment. His LinkedIn profile says that he stopped working for Arello Mobile in 2016, and that he is currently employed full-time as the Android team leader at an online betting company.

Also Read :  Emergency Rental Assistance Program, or ERAP, application window closing in Denver

In a blog post responding to the Reuters story, Pushwoosh said it is a privately held company incorporated under the state laws of Delaware, USA, and that Pushwoosh Inc. has never been owned by any company registered in the Russian Federation.

“Pushwoosh Inc. used to outsource development parts of the product to the Russian company in Novosibirsk, mentioned in the article,” the company said. “However, in February 2022, Pushwoosh Inc. terminated the contract.”

However, Edwards noted that dozens of developer subdomains on Pushwoosh’s main domain still point to JSC Avantel, a network provider based in Novosibirsk, Russia.


Pushwoosh employees posing at a company laser tag event.

Edwards said the U.S. Army application had a custom Pushwoosh configuration that did not appear in any other customer implementation.

“It had an extremely custom layout that didn’t exist anywhere else,” Edwards said. “Originally, it was an in-app web browser where it integrated Pushwoosh javascript so that whenever a user clicked on links, data went to Pushwoosh and they could push back whatever they wanted through the in-app browser.”

An Army Times an article published the day after the Reuters story said at least 1,000 people had downloaded the app, which “delivered updates for soldiers at the National Training Center on Fort Irwin, California, a critical waypoint for deploying units to test their battlefield prowess before heading overseas. . “

In April 2022, about 4,500 army personnel converged on the National Training Center for a war-gaming exercise on how to use lessons learned from Russia’s war against Ukraine to prepare for future battles against a major adversary such as Russia or China.

Despite Pushwoosh’s many breaches, the company’s software doesn’t appear to have done anything wrong to its customers or users, Edwards said.

“Nothing they did was seen as malicious,” he said. “Apart from completely lying about where they are, where their data is hosted and where they have infrastructure.”

GOV 311

Edwards also found Pushwoosh’s technology embedded in nearly two dozen mobile apps that were sold to cities and towns across Illinois as a way to help citizens access general information about their local communities and officials.

Also Read :  Internet of Vehicle Market Size on Target to Reach USD 120.52 Bn by 2027 | at a CAGR of 16.06%

The Illinois applications that brought together the Pushwoosh technology were produced by a company called Government 311, which is owned by Bill McCarty, the current director of the Springfield Office of Budget and Management. A story from 2014 in The State Journal Register said Gov 311’s pricing was based on population, and that the program would cost about $2,500 a year for a city of about 25,000 people.

McCarty told KrebsOnSecurity that his company stopped using Pushwoosh “years ago,” and that it now relies on its own technology to provide push notifications through its 311 apps.

But Edwards found that some of the 311 apps still try to call home to Pushwoosh, like the 311 app for Riverton, Ill.

“Riverton stopped being a customer several years ago, what [is] probably why their app was never updated to change Pushwoosh,” McCarty explained. “We are in the process of updating all client apps and a website refresh. As part of that, old unused apps like Riverton 311 will be removed.”


Edwards said it’s not at all clear how many other state and local government programs and websites rely on technology that sends user data to US adversaries overseas. In July, Congress introduced an amended version of the Intelligence Authorization Act for 2023, which included a new section focusing on data drawn from online ad auctions that could be used to geolocate individuals or obtain other information about them.

Business Insider reports that if this section makes it into the final version – which the Senate must also pass – the Office for the Director of National Intelligence (ODNI) will have 60 days after the Act becomes law to produce a risk assessment. The assessment will look at “the counterintelligence risks of, and the exposure of intelligence community personnel to, tracking foreign adversaries through advertising technology data,” the Act states.

Edwards says he hopes those changes pass, because what he found with Pushwoosh is probably just a drop in the bucket.

“I hope Congress acts on this,” he said. “If they were to require that there be an annual review of foreign ad technology risks, that would at least force people to identify and document those connections.”


Leave a Reply

Your email address will not be published.

Related Articles

Back to top button