Numerous iOS and Android apps, including one that may contain sensitive information about the US Army, have user-profiling code from a Russian company Pushwoosh that impersonated an American company, raising privacy and security concerns.
According to research, a broad range of applications, including those from the U.S. Army and the Centers for Disease Control and Prevention (CDC), had Pushwoosh malware installed. An app analytics company called Appfigures claims that approximately 8,000 applications in the Apple App Store and Google Play Store had Pushwoosh code.
Thousands of smartphone applications in Apple and Google’s online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is Russian, Reuters has found.
The Centers for Disease Control and Prevention (CDC), the United States’ central agency for fighting major health threats, said it had been deceived into believing Pushwoosh was based in the U.S. capital. After learning about its Russian roots from Reuters, it removed Pushwoosh software from seven public-facing apps, citing security concerns.
The U.S. Army said it had removed an app containing Pushwoosh code in March because of the same concerns.”
Software developers may deliver push alerts to users with Pushwoosh, which offers code and data processing tools. The company’s website states that it does not gather sensitive data, and a Reuters investigation found no proof that Pushwoosh mishandled user data. There is still a potential security risk for businesses that employ the code. According to corporate records, Pushwoosh is based in the Siberian city of Novosibirsk. However, it promotes itself as a U.S. corporation on social media and in regulatory filings in the United States.
The Army told Reuters it removed an app containing Pushwoosh in March, citing “security issues.” It did not say how widely the app, which was an information portal for use at its National Training Center (NTC) in California, had been used by troops.
The NTC is a major battle training center in the Mojave Desert for pre-deployment soldiers, meaning a data breach there could reveal upcoming overseas troop movements”
The business claims it has data on 2.3 billion devices, and the code has been included in almost 8,000 applications overall. The article emphasizes that there is no proof that the Pushwoosh code was created with evil or deceitful purpose, but it was worrying that it went to such efforts to claim to be US-owned. The business also made two bogus executives with purported Washington, DC addresses and false LinkedIn accounts.