A software company whose code is used in thousands of widely downloaded American apps has been pretending to be based in the U.S. when, in reality, it operates out of Russia, new reporting from Reuters shows. The company, Pushwoosh, used fake street addresses and even fake employee profiles on LinkedIn to create the illusion that it was headquartered in the U.S., according to the recent investigation, but the firm actually calls a remote city in Siberia home.
Reuters reports that, in both regulatory filings and on social media, Pushwoosh has consistently advertised itself as being based in the U.S. The firm provides contract support and software to a broad array of organisations, including “international companies, influential non-profits and government agencies,” the outlet reports. Pushwoosh’s code is used in at least eight thousand different apps currently available on the Google Play and Apple store.
Pushwoosh’s clients have even included the Centre for Disease Control and Prevention (CDC), which, until recently, used the company’s code in at least seven different public-facing apps. The U.S. Army also contracted with the company.
However, the Reuters report seems to reveal a variety of shady tactics that see the company misrepresenting itself. Both the CDC and the Army ditched the company’s code after learning that Pushwoosh had misrepresented itself.
The company has made separate filings with the U.S. and Russian governments that provide conflicting information. In its filing with the state of Delaware, where Pushwoosh is registered, the company listed addresses in Washington D.C., California, and Maryland, and never characterised itself as Russian company. However, when it made similar filings with the Russian government, it stated that it was based in the city of Novosibirsk, which is located in southern Russia in the province of Siberia.
The company’s founder, Max Konev, has disavowed suspicions, telling the outlet that Pushwoosh “has no connection with the Russian government of any kind” and that he had not tried to hide the company’s origins. “I am proud to be Russian and I would never hide this,” he said.
In its marketing materials and on its website the company also listed a number of physical addresses based in the U.S. that Reuters says aren’t actually connected to the company. Reporters travelled to one of the addresses and found that it was the residence of a friend of Konev’s; the friend told the reporters that he had “nothing to do with Pushwoosh and had only agreed to allow Konev to use his address to receive mail.” The other address, which was said to be the firm’s “principal place of business” from 2014 to 2016, was for a residence in a California Bay Area town that local officials say doesn’t actually exist.
At the same time, the company created a raft of social media profiles for U.S.-based executives that are also fictional, Reuters reports. Konev claims that the fake profiles were created by a marketing agency in 2018 to “use social media to sell Pushwoosh, not to mask the company’s Russian origins.”
From a cybersecurity perspective, the obvious concern here is that this company isn’t what it seems and that data collected by it could have been misused or shared with the Russian government. To be clear, though, Reuters reports that there isn’t any evidence that Pushwoosh did either of those things. That said, it isn’t without precedent for Russian law enforcement to force Russian companies to furnish user data to the government.
Gizmodo reached out to Pushwoosh for comment and will update this story if the company responds.